Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
install.exe

Overview

General Information

Sample name:install.exe
Analysis ID:1570456
MD5:00aa0268a34884bb4fe5dd33045fd936
SHA1:48f2340d92ce6249c5e903376d8bfff065c3fa8c
SHA256:71f0f0220ff22b380c0df240e60b5ba369557e12477187dbbef3ab77d2c91d81
Tags:exesilverfoxwinosuser-kafan_shengui
Infos:

Detection

ValleyRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain checking for user administrative privileges
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to disable installed Antivirus / HIPS / PFW
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • install.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\install.exe" MD5: 00AA0268A34884BB4FE5DD33045FD936)
    • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 6252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 6928 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • ParphaCrashReport64.exe (PID: 5576 cmdline: "C:\Program Files\Windows Mail\ParphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)
      • svchost.exe (PID: 7204 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 7244 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: svchost.exe PID: 1044JoeSecurity_ValleyRATYara detected ValleyRATJoe Security

    Sigma Signatures

    Sigma detected: Uncommon Svchost Parent Process
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\install.exe", ParentImage: C:\Users\user\Desktop\install.exe, ParentProcessId: 3992, ParentProcessName: install.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\install.exe", ParentImage: C:\Users\user\Desktop\install.exe, ParentProcessId: 3992, ParentProcessName: install.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: install.exeVirustotal: Detection: 19%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.binJump to behavior
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: install.exe, install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.1719701802.00007FFE0EC59000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.2.dr
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: install.exe, install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.1719423937.00007FF656DF2000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000004.00000000.1703757573.00007FF656DF2000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F6810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,2_2_000001845C4F6810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,3_2_0000000180026810
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,4_2_0000000180026810
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EDDD0 malloc,memset,FindFirstFileW,free,2_2_000001845C4EDDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,2_2_000001845C4EE210
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DE8F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF656DE8F78
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FFE0EC505EC FindFirstFileExW,4_2_00007FFE0EC505EC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,2_2_000001845C4FCD30
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.104.207
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C503E20 memset,CreateEventW,WSARecv,WSAGetLastError,WaitForMultipleObjects,WSAGetOverlappedResult,WSAGetLastError,CloseHandle,2_2_000001845C503E20
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ejemplo.com
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://eksempel.dk
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=csCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=da&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=daCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=msCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=nl&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=nlCtrl$1
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=noCtrl$1
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://ejemplo.com.Se
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://eksempel.dk.Brug
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://myactivity.google.com/
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comGemte
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comKata
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comLagrede
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comOpgeslagen
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSaglab
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSaved
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSe
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comUlo
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.eksempel.comWebadressen
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&N
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurus
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpBeheerd
    Source: install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&j
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreres
    Source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&al
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4E97D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4E97D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E99F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,2_2_000001845C4E99F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F6200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,2_2_000001845C4F6200
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FF1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4FF1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_0000000180026200
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00000001800197D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_00000001800199F0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_000000018002F1B0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_0000000180026200
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00000001800197D0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,2_2_000001845C4EAC60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EA410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,2_2_000001845C4EA410
    Source: install.exe, 00000000.00000002.1702841642.000002394A2B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_0b0d1403-3
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,0_2_0000000180005824
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,0_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,2_2_000001845C4E2830
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E1AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,2_2_000001845C4E1AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E1C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,2_2_000001845C4E1C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011AE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,3_2_0000000180012830
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018000B822 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,4_2_000000018000B822
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180008F54 realloc,NtQuerySystemInformation,4_2_0000000180008F54
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,4_2_0000000180012830
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011AE0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F05A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,2_2_000001845C4F05A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E5FB0 GetCurrentProcessId,TerminateThread,TerminateProcess,lstrcmpiW,Sleep,ExitThread,memset,lstrcatW,lstrcatW,memset,GetSystemDirectoryW,GetLastError,lstrcatW,lstrcatW,lstrcatW,OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SysAllocString,Sleep,GetCurrentProcess,TerminateProcess,2_2_000001845C4E5FB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EFF40 WTSQueryUserToken,GetLastError,DuplicateTokenEx,ConvertStringSidToSidW,GetLengthSid,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,2_2_000001845C4EFF40
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800080F20_2_00000001800080F2
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180009BC00_2_0000000180009BC0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800054D50_2_00000001800054D5
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800015B00_2_00000001800015B0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800010100_2_0000000180001010
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800038330_2_0000000180003833
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800280380_2_0000000180028038
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800148480_2_0000000180014848
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000284D0_2_000000018000284D
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018002C0800_2_000000018002C080
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800038800_2_0000000180003880
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800180EE0_2_00000001800180EE
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000290C0_2_000000018000290C
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800041530_2_0000000180004153
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800021700_2_0000000180002170
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000B1AC0_2_000000018000B1AC
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800069E00_2_00000001800069E0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800151E80_2_00000001800151E8
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180002A060_2_0000000180002A06
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180001A100_2_0000000180001A10
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180002A190_2_0000000180002A19
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000225E0_2_000000018000225E
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018001AA6C0_2_000000018001AA6C
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000B2800_2_000000018000B280
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180006AB00_2_0000000180006AB0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000C2D00_2_000000018000C2D0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180003AE00_2_0000000180003AE0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000435B0_2_000000018000435B
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000C3700_2_000000018000C370
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180023B980_2_0000000180023B98
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800033B80_2_00000001800033B8
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018001FC0C0_2_000000018001FC0C
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800284640_2_0000000180028464
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800034640_2_0000000180003464
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000947B0_2_000000018000947B
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180002C8A0_2_0000000180002C8A
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180004CB00_2_0000000180004CB0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800044C10_2_00000001800044C1
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180003CF20_2_0000000180003CF2
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800025260_2_0000000180002526
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800035300_2_0000000180003530
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800075500_2_0000000180007550
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180001D600_2_0000000180001D60
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180016D880_2_0000000180016D88
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800045A90_2_00000001800045A9
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180003DBC0_2_0000000180003DBC
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000360B0_2_000000018000360B
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000B6200_2_000000018000B620
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180002E240_2_0000000180002E24
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180005E580_2_0000000180005E58
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800026660_2_0000000180002666
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180029E8C0_2_0000000180029E8C
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000469C0_2_000000018000469C
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180024EB00_2_0000000180024EB0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000BEB00_2_000000018000BEB0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000B6C00_2_000000018000B6C0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180008EC00_2_0000000180008EC0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018001FED80_2_000000018001FED8
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800096E00_2_00000001800096E0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000DEE80_2_000000018000DEE8
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018000C6F00_2_000000018000C6F0
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800037170_2_0000000180003717
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180010F180_2_0000000180010F18
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180021F440_2_0000000180021F44
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180006F700_2_0000000180006F70
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00000001800027770_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800010102_2_0000000180001010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001A102_2_0000000180001A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001D602_2_0000000180001D60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038332_2_0000000180003833
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800280382_2_0000000180028038
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800148482_2_0000000180014848
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000284D2_2_000000018000284D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018002C0802_2_000000018002C080
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038802_2_0000000180003880
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800180EE2_2_00000001800180EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800080F22_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000290C2_2_000000018000290C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800041532_2_0000000180004153
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800021702_2_0000000180002170
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B1AC2_2_000000018000B1AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800069E02_2_00000001800069E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800151E82_2_00000001800151E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A062_2_0000000180002A06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A192_2_0000000180002A19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000225E2_2_000000018000225E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001AA6C2_2_000000018001AA6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B2802_2_000000018000B280
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006AB02_2_0000000180006AB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C2D02_2_000000018000C2D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003AE02_2_0000000180003AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000435B2_2_000000018000435B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C3702_2_000000018000C370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180023B982_2_0000000180023B98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800033B82_2_00000001800033B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180009BC02_2_0000000180009BC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800284642_2_0000000180028464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800034642_2_0000000180003464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000947B2_2_000000018000947B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002C8A2_2_0000000180002C8A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180004CB02_2_0000000180004CB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800044C12_2_00000001800044C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800054D52_2_00000001800054D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003CF22_2_0000000180003CF2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800025262_2_0000000180002526
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800035302_2_0000000180003530
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800075502_2_0000000180007550
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180016D882_2_0000000180016D88
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800045A92_2_00000001800045A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800015B02_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003DBC2_2_0000000180003DBC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000360B2_2_000000018000360B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6202_2_000000018000B620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002E242_2_0000000180002E24
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180005E582_2_0000000180005E58
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800026662_2_0000000180002666
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180029E8C2_2_0000000180029E8C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000469C2_2_000000018000469C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180024EB02_2_0000000180024EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000BEB02_2_000000018000BEB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6C02_2_000000018000B6C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180008EC02_2_0000000180008EC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FED82_2_000000018001FED8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800096E02_2_00000001800096E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000DEE82_2_000000018000DEE8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C6F02_2_000000018000C6F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800037172_2_0000000180003717
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180010F182_2_0000000180010F18
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180021F442_2_0000000180021F44
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006F702_2_0000000180006F70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800027772_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF374F22_2_000001845BF374F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF474EE2_2_000001845BF474EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5B4802_2_000001845BF5B480
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C802_2_000001845BF32C80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF43C482_2_000001845BF43C48
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31C4D2_2_000001845BF31C4D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF574382_2_000001845BF57438
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C332_2_000001845BF32C33
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF304102_2_000001845BF30410
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31B772_2_000001845BF31B77
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF363702_2_000001845BF36370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF513442_2_000001845BF51344
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32B172_2_000001845BF32B17
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF403182_2_000001845BF40318
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3D2E82_2_000001845BF3D2E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3BAF02_2_000001845BF3BAF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F2D82_2_000001845BF4F2D8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38AE02_2_000001845BF38AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF382C02_2_000001845BF382C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AAC02_2_000001845BF3AAC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF542B02_2_000001845BF542B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B2B02_2_000001845BF3B2B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF33A9C2_2_000001845BF33A9C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5928C2_2_000001845BF5928C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31A662_2_000001845BF31A66
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF352582_2_000001845BF35258
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF322242_2_000001845BF32224
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AA202_2_000001845BF3AA20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32A0B2_2_000001845BF32A0B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF331BC2_2_000001845BF331BC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF339A92_2_000001845BF339A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF309B02_2_000001845BF309B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF461882_2_000001845BF46188
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF311602_2_000001845BF31160
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF369502_2_000001845BF36950
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF319262_2_000001845BF31926
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF329302_2_000001845BF32930
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF330F22_2_000001845BF330F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF348D52_2_000001845BF348D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF338C12_2_000001845BF338C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF340B02_2_000001845BF340B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3208A2_2_000001845BF3208A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3887B2_2_000001845BF3887B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF328642_2_000001845BF32864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF578642_2_000001845BF57864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F00C2_2_000001845BF4F00C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF327B82_2_000001845BF327B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38FC02_2_000001845BF38FC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF52F982_2_000001845BF52F98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B7702_2_000001845BF3B770
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3375B2_2_000001845BF3375B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32EE02_2_000001845BF32EE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B6D02_2_000001845BF3B6D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35EB02_2_000001845BF35EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A6802_2_000001845BF3A680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF49E6C2_2_000001845BF49E6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3165E2_2_000001845BF3165E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E192_2_000001845BF31E19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E062_2_000001845BF31E06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF30E102_2_000001845BF30E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF445E82_2_000001845BF445E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35DE02_2_000001845BF35DE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A5AC2_2_000001845BF3A5AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF315702_2_000001845BF31570
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF335532_2_000001845BF33553
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31D0C2_2_000001845BF31D0C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F06802_2_000001845C4F0680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E21402_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF9E02_2_000001845C4EF9E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DED502_2_000001845C4DED50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE5502_2_000001845C4EE550
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6D442_2_000001845C4D6D44
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D656A2_2_000001845C4D656A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D1D802_2_000001845C4D1D80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F65302_2_000001845C4F6530
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FAD302_2_000001845C4FAD30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C508D242_2_000001845C508D24
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D75D22_2_000001845C4D75D2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DF5E02_2_000001845C4DF5E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DC5F02_2_000001845C4DC5F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DEDF02_2_000001845C4DEDF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C50DE002_2_000001845C50DE00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4D902_2_000001845C4F4D90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F55902_2_000001845C4F5590
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D95882_2_000001845C4D9588
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2D8A2_2_000001845C4D2D8A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7DA12_2_000001845C4D7DA1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E8DA02_2_000001845C4E8DA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EB5A02_2_000001845C4EB5A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FBDC02_2_000001845C4FBDC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5026602_2_000001845C502660
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C50664B2_2_000001845C50664B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5266702_2_000001845C526670
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6E102_2_000001845C4D6E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DCE102_2_000001845C4DCE10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E3E102_2_000001845C4E3E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9E102_2_000001845C4F9E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5E062_2_000001845C4D5E06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFE202_2_000001845C4DFE20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D16302_2_000001845C4D1630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E66302_2_000001845C4E6630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAE402_2_000001845C4EAE40
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3EC72_2_000001845C4D3EC7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E76E02_2_000001845C4E76E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6EEB2_2_000001845C4D6EEB
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F47002_2_000001845C4F4700
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7E892_2_000001845C4D7E89
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA6A02_2_000001845C4DA6A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D769C2_2_000001845C4D769C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C529E902_2_000001845C529E90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E9EC02_2_000001845C4E9EC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C506F5F2_2_000001845C506F5F
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5037602_2_000001845C503760
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5F462_2_000001845C4D5F46
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F602_2_000001845C4E6F60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D176F2_2_000001845C4D176F
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E87802_2_000001845C4E8780
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1F802_2_000001845C4F1F80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7F7C2_2_000001845C4D7F7C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF7102_2_000001845C4EF710
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D67042_2_000001845C4D6704
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D271A2_2_000001845C4D271A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FA7F02_2_000001845C4FA7F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6FF72_2_000001845C4D6FF7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D1F882_2_000001845C4D1F88
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C504FA02_2_000001845C504FA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E7FA02_2_000001845C4E7FA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C514F902_2_000001845C514F90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E5FB02_2_000001845C4E5FB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5067B82_2_000001845C5067B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EEFC02_2_000001845C4EEFC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4FC02_2_000001845C4F4FC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F57C02_2_000001845C4F57C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D4FB52_2_000001845C4D4FB5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC8502_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D60572_2_000001845C4D6057
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D10702_2_000001845C4D1070
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F78702_2_000001845C4F7870
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F88802_2_000001845C4F8880
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DB8222_2_000001845C4DB822
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE0102_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5008102_2_000001845C500810
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E38D02_2_000001845C4E38D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D20C72_2_000001845C4D20C7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DE8DC2_2_000001845C4DE8DC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FF8902_2_000001845C4FF890
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C50A8BC2_2_000001845C50A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E51502_2_000001845C4E5150
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D71602_2_000001845C4D7160
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D29712_2_000001845C4D2971
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E11802_2_000001845C4E1180
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D517C2_2_000001845C4D517C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D517A2_2_000001845C4D517A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA1102_2_000001845C4DA110
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D71132_2_000001845C4D7113
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F49302_2_000001845C4F4930
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D612D2_2_000001845C4D612D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5141402_2_000001845C514140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA1E02_2_000001845C4DA1E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E99F02_2_000001845C4E99F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D61EC2_2_000001845C4D61EC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFA002_2_000001845C4DFA00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E91902_2_000001845C4E9190
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EA1902_2_000001845C4EA190
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D219F2_2_000001845C4D219F
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DE9B02_2_000001845C4DE9B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5A502_2_000001845C4D5A50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D12642_2_000001845C4D1264
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D227C2_2_000001845C4D227C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5012702_2_000001845C501270
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1A102_2_000001845C4F1A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F5A102_2_000001845C4F5A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7A332_2_000001845C4D7A33
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E82302_2_000001845C4E8230
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3A322_2_000001845C4D3A32
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FAA302_2_000001845C4FAA30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EEA402_2_000001845C4EEA40
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAAD02_2_000001845C4EAAD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FB2D02_2_000001845C4FB2D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C505AD02_2_000001845C505AD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DD2F02_2_000001845C4DD2F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D62E62_2_000001845C4D62E6
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D33002_2_000001845C4D3300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6B002_2_000001845C4D6B00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F93002_2_000001845C4F9300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D62F92_2_000001845C4D62F9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F72902_2_000001845C4F7290
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFAA02_2_000001845C4DFAA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D4A982_2_000001845C4D4A98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2B502_2_000001845C4E2B50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4B602_2_000001845C4F4B60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F53402_2_000001845C4F5340
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5B3E2_2_000001845C4D5B3E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E73D02_2_000001845C4E73D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D83E02_2_000001845C4D83E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2BD62_2_000001845C4D2BD6
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D13F72_2_000001845C4D13F7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DCBAB2_2_000001845C4DCBAB
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D73C02_2_000001845C4D73C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F3BC02_2_000001845C4F3BC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC542_2_000001845C4FFC54
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC5D2_2_000001845C4FFC5D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC4B2_2_000001845C4FFC4B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D34702_2_000001845C4D3470
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F34642_2_000001845C4F3464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DAC802_2_000001845C4DAC80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E44102_2_000001845C4E4410
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D8C052_2_000001845C4D8C05
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C500C202_2_000001845C500C20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6B002_2_000001845C4D6B00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ED4202_2_000001845C4ED420
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC392_2_000001845C4FFC39
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC422_2_000001845C4FFC42
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC272_2_000001845C4FFC27
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7C3B2_2_000001845C4D7C3B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC302_2_000001845C4FFC30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2CD22_2_000001845C4D2CD2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D54E02_2_000001845C4D54E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E02_2_000001845C4F24E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF02_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5034F02_2_000001845C5034F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F5C902_2_000001845C4F5C90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C506C9E2_2_000001845C506C9E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6C982_2_000001845C4D6C98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C505C902_2_000001845C505C90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E9CB02_2_000001845C4E9CB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F44B02_2_000001845C4F44B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3CA62_2_000001845C4D3CA6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800121403_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800151503_2_0000000180015150
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800224E03_2_00000001800224E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800206803_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800176E03_2_00000001800176E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F9E03_2_000000018001F9E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AAD03_2_000000018001AAD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180013E103_2_0000000180013E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006FF73_2_0000000180006FF7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E0103_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800060573_2_0000000180006057
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800010703_2_0000000180001070
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800020C73_2_00000001800020C7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1103_2_000000018000A110
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071133_2_0000000180007113
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000612D3_2_000000018000612D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800441403_2_0000000180044140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071603_2_0000000180007160
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517A3_2_000000018000517A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517C3_2_000000018000517C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800111803_2_0000000180011180
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001A1903_2_000000018001A190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800191903_2_0000000180019190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000219F3_2_000000018000219F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1E03_2_000000018000A1E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800061EC3_2_00000001800061EC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800182303_2_0000000180018230
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800012643_2_0000000180001264
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800312703_2_0000000180031270
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000227C3_2_000000018000227C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800272903_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002B2D03_2_000000018002B2D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800642E03_2_00000001800642E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062E63_2_00000001800062E6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000D2F03_2_000000018000D2F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062F93_2_00000001800062F9
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800293003_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800033003_2_0000000180003300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800623273_2_0000000180062327
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800253403_2_0000000180025340
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018005B3803_2_000000018005B380
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800073C03_2_00000001800073C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800173D03_2_00000001800173D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800083E03_2_00000001800083E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800013F73_2_00000001800013F7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004C4103_2_000000018004C410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800144103_2_0000000180014410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001D4203_2_000000018001D420
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800234643_2_0000000180023464
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800034703_2_0000000180003470
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800244B03_2_00000001800244B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800054E03_2_00000001800054E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800334F03_2_00000001800334F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800265303_2_0000000180026530
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E5503_2_000000018001E550
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000656A3_2_000000018000656A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800095883_2_0000000180009588
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800255903_2_0000000180025590
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001B5A03_2_000000018001B5A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800075D23_2_00000001800075D2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000F5E03_2_000000018000F5E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C5F03_2_000000018000C5F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800166303_2_0000000180016630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800016303_2_0000000180001630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003664B3_2_000000018003664B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800326603_2_0000000180032660
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800566703_2_0000000180056670
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000769C3_2_000000018000769C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A6A03_2_000000018000A6A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800486E03_2_00000001800486E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800247003_2_0000000180024700
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800067043_2_0000000180006704
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F7103_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000271A3_2_000000018000271A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800337603_2_0000000180033760
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800637703_2_0000000180063770
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000176F3_2_000000018000176F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800187803_2_0000000180018780
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800527903_2_0000000180052790
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800367B83_2_00000001800367B8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800257C03_2_00000001800257C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002A7F03_2_000000018002A7F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800308103_2_0000000180030810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B8223_2_000000018000B822
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C8503_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800278703_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800288803_2_0000000180028880
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F8903_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003A8BC3_2_000000018003A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800138D03_2_00000001800138D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E8DC3_2_000000018000E8DC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800249303_2_0000000180024930
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800029713_2_0000000180002971
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E9B03_2_000000018000E9B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F03_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180053A003_2_0000000180053A00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FA003_2_000000018000FA00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021A103_2_0000000180021A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025A103_2_0000000180025A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002AA303_2_000000018002AA30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003A323_2_0000000180003A32
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007A333_2_0000000180007A33
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001EA403_2_000000018001EA40
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005A503_2_0000000180005A50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180004A983_2_0000000180004A98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FAA03_2_000000018000FAA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035AD03_2_0000000180035AD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005B3E3_2_0000000180005B3E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012B503_2_0000000180012B50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024B603_2_0000000180024B60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000CBAB3_2_000000018000CBAB
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180023BC03_2_0000000180023BC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002BD63_2_0000000180002BD6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180008C053_2_0000000180008C05
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180030C203_2_0000000180030C20
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC273_2_000000018002FC27
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC303_2_000000018002FC30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC393_2_000000018002FC39
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007C3B3_2_0000000180007C3B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC423_2_000000018002FC42
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC4B3_2_000000018002FC4B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC543_2_000000018002FC54
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180065C603_2_0000000180065C60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC5D3_2_000000018002FC5D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000AC803_2_000000018000AC80
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035C903_2_0000000180035C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025C903_2_0000000180025C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006C983_2_0000000180006C98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180036C9E3_2_0000000180036C9E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180061CA73_2_0000000180061CA7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003CA63_2_0000000180003CA6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180019CB03_2_0000000180019CB0
    Source: Joe Sandbox ViewDropped File: C:\Program Files\Windows Mail\ParphaCrashReport64.exe E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 000001845C514F40 appears 36 times
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: String function: 0000000180041800 appears 91 times
    Source: install.exeBinary or memory string: OriginalFilename vs install.exe
    Source: install.exe, 00000000.00000000.1680628616.00007FF6967F1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqdbusviewer.exe( vs install.exe
    Source: install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs install.exe
    Source: install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs install.exe
    Source: install.exeStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
    Source: install.exeBinary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
    Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@0/1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F0680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,2_2_000001845C4F0680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EFD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,2_2_000001845C4EFD10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,2_2_000001845C4FCE70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F7870
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,2_2_000001845C4F9A70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F9300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F7290
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F0480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,2_2_000001845C4F0480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,3_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,3_2_0000000180020480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,3_2_0000000180029A70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,3_2_000000018001FD10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,3_2_000000018002CE70
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,4_2_0000000180020480
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,4_2_0000000180020680
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027290
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180029300
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027870
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,4_2_0000000180029A70
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,4_2_000000018001FD10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,4_2_000000018002CE70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,2_2_000001845C4EC4E0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_000001845C4F63C0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00000001800263C0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00000001800263C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FC950 memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_000001845C4FC950
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,0_2_0000000180001A10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DD4000 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,4_2_00007FF656DD4000
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,2_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: install.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\install.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Users\user\Desktop\install.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: install.exeVirustotal: Detection: 19%
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: ParphaCrashReport64.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: ParphaCrashReport64.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: install.exeString found in binary or memory: <!--StartFragment-->
    Source: install.exeString found in binary or memory: <!--StartFragment--><!--EndFragment-->
    Source: install.exeString found in binary or memory: process-stop
    Source: install.exeString found in binary or memory: media-playback-start
    Source: install.exeString found in binary or memory: media-playback-stop
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-16.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-32.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-32.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-128.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
    Source: install.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-16.png
    Source: install.exeString found in binary or memory: dialog-help-icon
    Source: install.exeString found in binary or memory: filedialog-start-icon
    Source: install.exeString found in binary or memory: sys-menuitemicontextindicatorcornerclose-buttonactivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-show-tooltips-on-buttonstitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-iconwidget-animation-duration
    Source: install.exeString found in binary or memory: sys-menuitemicontextindicatorcornerclose-buttonactivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-show-tooltips-on-buttonstitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-iconwidget-animation-duration
    Source: install.exeString found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject*)Could not parse application stylesheetstyleSheet* {Could not parse stylesheet of object_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNX_q_styleSheetRealCloseButtonicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondialog-discard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areatitlebar-show-tooltips-on-buttonswidget-animation-durationqt_fontDialog_sampleEditqt_
    Source: install.exeString found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject*)Could not parse application stylesheetstyleSheet* {Could not parse stylesheet of object_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNX_q_styleSheetRealCloseButtonicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondialog-discard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areatitlebar-show-tooltips-on-buttonswidget-animation-durationqt_fontDialog_sampleEditqt_
    Source: install.exeString found in binary or memory: media-stop-16.png
    Source: install.exeString found in binary or memory: media-stop-32.png
    Source: install.exeString found in binary or memory: standardbutton-help-128.png
    Source: install.exeString found in binary or memory: Gstandardbutton-help-16.png
    Source: install.exeString found in binary or memory: Gstandardbutton-help-32.png
    Source: install.exeString found in binary or memory: tab-stops
    Source: install.exeString found in binary or memory: tab-stop
    Source: install.exeString found in binary or memory: mimetypeurn:oasis:names:tc:opendocument:xmlns:manifest:1.0manifest1.2/text/xmlcontent.xmlMETA-INF/manifest.xmlfile-entrymedia-typefull-pathTable%1style-nametable-columnTable%1.%2number-columns-repeatedtable-rowtable-cellnumber-columns-spannednumber-rows-spannedTB%1.%2T%1list-itemlistL%1pp%1spanc%1tabline-breakautomatic-stylesparagraphfamilyparagraph-propertiesline-heightline-height-at-leastline-spacingQTextOdfWriter: unsupported paragraph alignment; margin-topmargin-bottommargin-leftmargin-righttext-indentbreak-beforebreak-afterkeep-togethertab-stopstab-stoptext-propertiesSanstext-transformuppercaselowercasecapitalizesmall-capsfont-variantletter-spacingword-spacingsingletext-line-through-typetext-underline-colordashdash-dotwave0%-100%text-outlinelist-level-style-numbernum-formatnum-suffixnum-prefixlist-level-style-bulletbullet-charlevellist-level-properties%1mmspace-befores%1section-propertiestable-propertiescollapsingborder-modeltable-column-propertiescolumn-widthQTextOdfWriter::writeTableCellFormat: ERROR writing table border formattable-cell-propertiespaddingpadding-toppadding-bottompadding-leftpadding-rightautomaticurn:oasis:names:tc:opendocument:xmlns:office:1.0urn:oasis:names:tc:opendocument:xmlns:text:1.0urn:oasis:names:tc:opendocument:xmlns:style:1.0urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0urn:oasis:names:tc:opendocument:xmlns:table:1.0urn:oasis:names:tc:opendocument:xmlns:drawing:1.0http://www.w3.org/1999/xlinkurn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0QTextOdfWriter::writeAll: the device cannot be opened for writingofficefodrawxlinkdocument-contentbody
    Source: install.exeString found in binary or memory: Africa/Addis_Ababa
    Source: install.exeString found in binary or memory: in-addr.arpa
    Source: install.exeString found in binary or memory: y.noin-addr.arpacc.ct.usyamato.fukushima.jpdp.uaslg.brullensvang.noweb.nfclerk.appweb.niwww.robarsy.pubassn.lkradoy.noauthgearapps.comleitungsen.defukaya.saitama.jphk.comhole.nofrom-sd.comtsuno.kochi.jpcantho.vnnamaste.jptrafficplex.cloudilovecollege.infotrader.aerofetsund.noinatsuki.fukuoka.jpms.leg.brhadano.kanagawa.jphikawa.shimane.jpac.gov.brwatari.miyagi.jpdrud.iofvg.itambulance.aerotrentino-aadige.itnoto.ishikawa.jp*.spectrum.myjino.rune.jpweb.pkus-west-2.elasticbeanstalk.comsevenlaw.zane.keisesaki.gunma.jpholy.jpjeonnam.krchirurgiens-dentistes-en-france.frk12.in.usbozen-s
    Source: unknownProcess created: C:\Users\user\Desktop\install.exe "C:\Users\user\Desktop\install.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\install.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: arphadump64.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.binJump to behavior
    Source: install.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: install.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: install.exeStatic file information: File size 23967232 > 1048576
    Source: install.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xb59400
    Source: install.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x95c600
    Source: install.exeStatic PE information: More than 200 imports for KERNEL32.dll
    Source: install.exeStatic PE information: More than 200 imports for USER32.dll
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: install.exe, install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.1719701802.00007FFE0EC59000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.2.dr
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: install.exe, install.exe, 00000000.00000002.1703431495.000002394BB00000.00000004.00001000.00020000.00000000.sdmp, install.exe, 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.1719423937.00007FF656DF2000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000004.00000000.1703757573.00007FF656DF2000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb source: install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp
    Source: install.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: install.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: install.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: install.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: install.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,2_2_000001845C4F4080
    Source: install.exeStatic PE information: section name: .xdata
    Source: install.exeStatic PE information: section name: .qtmetad
    Source: install.exeStatic PE information: section name: .qtmimed
    Source: install.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC3E0 push rcx; ret 2_2_000001845C4EC3E1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C3E0 push rcx; ret 3_2_000000018001C3E1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800619F7 push FF491775h; ret 3_2_00000001800619FC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001C3E0 push rcx; ret 4_2_000000018001C3E1
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00000001800619F7 push FF491775h; ret 4_2_00000001800619FC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F30FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,2_2_000001845C4F30FE
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\arphaDump64.dllJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FD060 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_000001845C4FD060

    Hooking and other Techniques for Hiding and Protection

    barindex
    Deletes itself after installation
    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\install.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EBFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,2_2_000001845C4EBFC0
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found evasive API chain checking for user administrative privileges
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
    Source: C:\Users\user\Desktop\install.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-13630
    Source: C:\Windows\System32\svchost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-45494
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4E6F60
    Source: C:\Users\user\Desktop\install.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,0_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,2_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,2_2_000001845C4FD140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4FF890
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,3_2_000000018002D140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018002F890
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,4_2_000000018002D140
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeAPI coverage: 3.9 %
    Source: C:\Windows\System32\svchost.exeAPI coverage: 7.5 %
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeAPI coverage: 3.4 %
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EDDD0 malloc,memset,FindFirstFileW,free,2_2_000001845C4EDDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,2_2_000001845C4EE210
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DE8F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF656DE8F78
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FFE0EC505EC FindFirstFileExW,4_2_00007FFE0EC505EC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,2_2_000001845C4FCD30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F24E0
    Source: svchost.exe, 00000002.00000002.2934977262.000001845AC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
    Source: dllhost.exe, 00000005.00000002.2933024397.000001E15FE5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll((@mP
    Source: install.exe, 00000000.00000000.1680582415.00007FF6965B8000.00000008.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000002.1709096103.00007FF69660B000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
    Source: svchost.exe, 00000002.00000000.1685617379.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2935078795.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2933662251.00000211C1613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2933720880.0000024503613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: ParphaCrashReport64.exe, 00000004.00000002.1718163349.000001E591C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD
    Source: dllhost.exe, 00000007.00000002.2933022239.000001CD0DAEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,,
    Source: C:\Users\user\Desktop\install.exeAPI call chain: ExitProcess graph end nodegraph_0-13637
    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_2-45827
    Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C534130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000001845C534130
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DDD1E8 GetLastError,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF656DDD1E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4E6F60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC3_2_0000000180034DA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,2_2_000001845C4F4080
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCA60 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,2_2_000001845C4FCA60
    Source: C:\Users\user\Desktop\install.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001801129E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00000001801129E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C530030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000001845C530030
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C534130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000001845C534130
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180060030
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180064130
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180060770
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DDEEF4 SetUnhandledExceptionFilter,4_2_00007FF656DDEEF4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DDED0C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF656DDED0C
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DDE440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF656DDE440
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF656DE21D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF656DE21D8
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FFE0EC46270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFE0EC46270
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FFE0EC4D3B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFE0EC4D3B4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FFE0EC45860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFE0EC45860
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180060030
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180064130
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0000000180060770

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Benign windows process drops PE files
    Source: C:\Windows\System32\svchost.exeFile created: ParphaCrashReport64.exe.2.drJump to dropped file
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\install.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845BE00000 protect: page read and writeJump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B390000 protect: page read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C380000 protect: page execute and read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C390000 protect: page read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C420000 protect: page execute and read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C430000 protect: page read and writeJump to behavior
    Contains functionality to inject code into remote processes
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,2_2_000001845C4EF9E0
    Contains functionality to inject threads in other processes
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,2_2_000001845C4F9E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,2_2_000001845C4EF710
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,2_2_000001845C4FE4D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,3_2_000000018002E4D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,3_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,3_2_0000000180029E10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,4_2_000000018002E4D0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,4_2_000000018001F710
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,4_2_0000000180029E10
    Found direct / indirect Syscall (likely to bypass EDR)
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E065Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D4F8Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800209C4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D89DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x18002052B
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18002D8BAJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800208EEJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000E4F4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020A2FJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E8B1Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18002069DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtUnmapViewOfSection: Direct from: 0x18002C9C4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020818Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800121DBJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000B93EJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000E173Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B08CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x7FFE221C26A1Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x180020741
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x180009000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001AFDDJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000B8ADJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18002C984Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180012212Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020544Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B131Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x18002CA47
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18001244CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000D3EBJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180008FB0Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18001216DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B0FAJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020758Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800207ADJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x180020511Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtUnmapViewOfSection: Direct from: 0x18002C9A7Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E6D2Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020959Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQueryInformationProcess: Direct from: 0x1800091B3Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020A9AJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18002D84BJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D52BJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x18000C5C9Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D88CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B0C3Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020883Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180008494Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x180020727Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18002D1CCJump to behavior
    Modifies the context of a thread in another process (thread injection)
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 6252Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7204Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 6928Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7244Jump to behavior
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\install.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory written: C:\Windows\System32\svchost.exe base: 1845BE00000Jump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B380000Jump to behavior
    Source: C:\Users\user\Desktop\install.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1E15FD70000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1E15FE00000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1E15FD60000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C380000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C390000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C420000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C430000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1CD0D940000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1CD0D9D0000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1CD0D930000Jump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe2_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe3_2_0000000180012140
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe4_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: svchost.exe, 00000003.00000003.2336282323.00000211C2B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2336314134.00000211C2BB0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000005.00000003.2316584958.000001E162480000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: svchost.exe, 00000003.00000003.2336626422.00000211C2C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2336336130.00000211C2CD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2356482551.0000024504C90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TCPProgram Manager
    Source: dllhost.exe, 00000005.00000003.2920253840.000001E162480000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager:
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_000000018002BBA8 cpuid 0_2_000000018002BBA8
    Source: C:\Users\user\Desktop\install.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,2_2_000001845C4F7E20
    Source: C:\Users\user\Desktop\install.exeCode function: 0_2_0000000180112B5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000180112B5C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F24E0

    Stealing of Sensitive Information

    barindex
    Yara detected ValleyRAT
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected ValleyRAT
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,2_2_000001845C4F1520
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C517630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,2_2_000001845C517630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C51A830 socket,socket,htonl,bind,getsockname,2_2_000001845C51A830
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C526B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,2_2_000001845C526B30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,3_2_0000000180021520
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,3_2_0000000180047630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004A830 socket,socket,htonl,bind,getsockname,3_2_000000018004A830
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,3_2_0000000180056B30
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,4_2_0000000180021520
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,4_2_0000000180047630
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_000000018004A830 socket,socket,htonl,bind,getsockname,4_2_000000018004A830
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,4_2_0000000180056B30

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Valid Accounts    		11
    Native API    		1
    DLL Side-Loading    		1
    Abuse Elevation Control Mechanism    		3
    Disable or Modify Tools    		21
    Input Capture    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Exploitation for Client Execution    		1
    Create Account    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    Command and Scripting Interpreter    		1
    Valid Accounts    		1
    Valid Accounts    		1
    Abuse Elevation Control Mechanism    		Security Account Manager1
    System Service Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		SteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Scheduled Task/Job    		12
    Windows Service    		11
    Access Token Manipulation    		2
    Obfuscated Files or Information    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts12
    Service Execution    		1
    Scheduled Task/Job    		12
    Windows Service    		1
    Software Packing    		LSA Secrets25
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts523
    Process Injection    		1
    DLL Side-Loading    		Cached Domain Credentials1
    Network Share Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
    Scheduled Task/Job    		1
    File Deletion    		DCSync41
    Security Software Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
    Masquerading    		Proc Filesystem4
    Process Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Valid Accounts    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
    Access Token Manipulation    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd523
    Process Injection    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Indicator Removal    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570456 Sample: install.exe Startdate: 07/12/2024 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected ValleyRAT 2->35 37 Contains functionality to inject threads in other processes 2->37 39 2 other signatures 2->39 8 install.exe 2->8         started        process3 signatures4 41 Writes to foreign memory regions 8->41 43 Allocates memory in foreign processes 8->43 45 Found evasive API chain checking for user administrative privileges 8->45 11 svchost.exe 12 4 8->11 injected process5 file6 27 C:\Program Files\...\ParphaCrashReport64.exe, PE32+ 11->27 dropped 29 C:\Program Files\...\arphaDump64.dll, PE32+ 11->29 dropped 47 Benign windows process drops PE files 11->47 49 Contains functionality to inject threads in other processes 11->49 51 Contains functionality to inject code into remote processes 11->51 53 3 other signatures 11->53 15 ParphaCrashReport64.exe 11->15         started        18 svchost.exe 1 11->18         started        21 svchost.exe 11->21         started        signatures7 process8 dnsIp9 55 Writes to foreign memory regions 15->55 57 Allocates memory in foreign processes 15->57 59 Found direct / indirect Syscall (likely to bypass EDR) 15->59 31 18.166.104.207, 49732, 49734, 80 AMAZON-02US United States 18->31 61 Modifies the context of a thread in another process (thread injection) 18->61 23 dllhost.exe 18->23         started        25 dllhost.exe 21->25         started        signatures10 process11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    install.exe19%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\Windows Mail\ParphaCrashReport64.exe4%ReversingLabs
    C:\Program Files\Windows Mail\arphaDump64.dll5%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://passwords.google.comSaglab0%Avira URL Cloudsafe
    https://passwords.google.comUlo0%Avira URL Cloudsafe
    https://passwords.google.comGemte0%Avira URL Cloudsafe
    https://passwords.google.comSaved0%Avira URL Cloudsafe
    https://www.eksempel.comWebadressen0%Avira URL Cloudsafe
    https://passwords.google.comSe0%Avira URL Cloudsafe
    https://passwords.google.comLagrede0%Avira URL Cloudsafe
    https://passwords.google.comOpgeslagen0%Avira URL Cloudsafe
    https://passwords.google.comKata0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://eksempel.dkinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
      		high
      https://chrome.google.com/webstore?hl=nlCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
        		high
        https://support.google.com/chrome/answer/6098869install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
          		high
          https://www.google.com/chrome/privacy/eula_text.htmlP&alinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
            		high
            https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
              		high
              https://chrome.google.com/webstore?hl=es-419Ctrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                		high
                https://www.eksempel.comWebadresseninstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreresinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://chrome.google.com/webstore?hl=noCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://passwords.google.comSavedinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/privacy/eula_text.html&Ninstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://myactivity.google.com/install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://passwords.google.comGemteinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://passwords.google.comSaglabinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                            		high
                            https://chrome.google.com/webstore?hl=da&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                              		high
                              https://chromeenterprise.google/policies/#BrowserSwitcherUrlListinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://policies.google.com/install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://passwords.google.comUloinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://passwords.google.comLagredeinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                    		high
                                    https://chrome.google.com/webstore?hl=daCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      https://ejemplo.com.Seinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        https://chrome.google.com/webstore?hl=csCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          https://passwords.google.comSeinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://chrome.google.com/webstore?hl=msCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurusinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://chromeenterprise.google/policies/#BrowserSwitcherEnabledinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore/category/extensionsinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://eksempel.dk.Bruginstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                      		high
                                                      https://support.google.com/chromebook?p=app_intentinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivitinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                		high
                                                                https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivityinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                  		high
                                                                  https://support.google.com/chrome/answer/96817install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                    		high
                                                                    https://passwords.google.comOpgeslageninstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://support.google.com/chrome/a/?p=browser_profile_detailsinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=nl&category=theme81https://myactivity.google.com/myactivity/?uinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                        		high
                                                                        https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                          		high
                                                                          https://www.google.com/chrome/privacy/eula_text.htmlH&jinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                            		high
                                                                            https://passwords.google.comKatainstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://chrome.google.com/webstore?hl=lvCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                              		high
                                                                              https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelistinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                		high
                                                                                https://support.google.com/chrome/a/answer/9122284install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                  		high
                                                                                  https://chrome.google.com/webstore?hl=enCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    https://www.google.com/chrome/privacy/eula_text.htmlH&elpBeheerdinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      http://ejemplo.cominstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylistinstall.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                          		high
                                                                                          https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministradoinstall.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                            		high
                                                                                            https://chrome.google.com/webstore?hl=en-GBCtrl$1install.exe, 00000000.00000002.1705729720.00007FF695F12000.00000004.00000001.01000000.00000003.sdmp, install.exe, 00000000.00000000.1679592353.00007FF695F12000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              18.166.104.207
                                                                                              		unknownUnited States
                                                                                              		16509AMAZON-02USfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1570456
                                                                                              Start date and time:2024-12-07 03:55:10 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 7m 54s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:11
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:1
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:install.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.evad.winEXE@11/4@0/1
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 99%
                                                                                              • Number of executed functions: 33
                                                                                              • Number of non-executed functions: 299
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              02:56:03Task SchedulerRun new task: MicrosoftMailUpdateTask path: C:\Program Files\Windows Mail\ParphaCrashReport64.exe

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              No context

                                                                                              Domains

                                                                                              No context

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              AMAZON-02UShttp://i777777o726f79616c627573696e65737362616e6b757361o636f6dz.oszar.comGet hashmaliciousUnknownBrowse
                                                                                              • 54.195.39.4
                                                                                              https://www.scribd.com/document/801519291/Advice-Notification#fullscreen&from_embedGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 13.226.2.62
                                                                                              Fw Your flight has been cancelled.emlGet hashmaliciousUnknownBrowse
                                                                                              • 205.251.222.180
                                                                                              Distribution Agreement -21_12_48-December 6, 2024-be1f31b3a4b24beb88d27adfd723203e.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 3.5.151.143
                                                                                              fBpY1pYq34.exeGet hashmaliciousNjratBrowse
                                                                                              • 18.197.239.5
                                                                                              FYI_ Remittance Advice - 667543.emlGet hashmaliciousUnknownBrowse
                                                                                              • 52.33.23.190
                                                                                              https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/email.email.panda%C2%ADdoc%C2%AD.net/c/eJxUkE2P2yAQhn-NuWWFARt88CFVY612oypR2m7UywqGwSGJDcLY3c2vryJ1-3EbjeZ99MxrW1Nz4xSxAeYBx_zqbdufVQy8WvbnZ4mHr1v5vX_uDcG2lJxXVAlZk1MLSiPjHKRWYBw4lJZJCRqkEVJZQXzLKBMlo3WpqKz4g6l4zS03pmSmLmVZCIqD9teHqEerbYCHETPx02tOGlCbK7Y5zUiu7SnnOBV8XbCuYJ2O8W8EwlCw7kO_YN3CCt7lcMGx4J8NSlVVAgyKymkGjIKWqBoJ3DlUXIGiDUhX8I6MIXvnQWcfxnsNzgkqLMCqwQZWolF0pTk0K0qZQ7S1QVeTkHo9-tuf0GZ5eheeH9Pm7by_vbzf7PD4ZUdSG09zSoWgIWY_zMOUtXN-7O_-JOHip9-A-fB43HRxdxy-Qfi03b-sbbxIktuPF_8ZV1mnHv_bTPeLpWXkZ0iXKWrAO3SXD-unw3Y8i7e8HH7ki-bz5H4FAAD__zN8qVcGet hashmaliciousUnknownBrowse
                                                                                              • 52.35.175.3
                                                                                              https://view.monday.com/7943156422-7d953d66ef734304cc1947de503c6a54?r=use1Get hashmaliciousUnknownBrowse
                                                                                              • 3.160.188.124
                                                                                              https://ftp.phishing.guru/XZTVLTzdsZUYrUVQvc2UxelY4RXAyY1lsWllpOGZuODg5eElvOG81SlRoMHJnZ1MwbTRTYVVxVzZlMm5NZTN3Z1Z4K3NxMmZFRUUwc09aYVN3TnJFWE5KRVNJd3RESWEzaGVVRUJOTXFUS1oyaTFpbnhWYmNZMEpzc1FsRmJRTWp4OSt1QWd2djVBa050cXBJTWtQaVo1bG95emZjbHdMNDJTN1ExSkVJV3F2VEZOWnByVFp1eTB0U2h3PT0tLWdwOUd3TlJKYU9yai92dFAtLW1zSmtEb2l5OG5rdkdhS3p4QUkwOXc9PQ==?cid=2305350685&c=E,1,2hwsfxJSqavaDh1yKkXV3W2-TyhvGdShzpZs_xrCQV32rd5rxIItzkHynov7i6KPhRMjTOfzpbOL_1ijK1wBxrPztz6i3OeFYMVWHhBAPgGet hashmaliciousKnowBe4Browse
                                                                                              • 52.217.115.240
                                                                                              la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                              • 54.171.230.55

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              C:\Program Files\Windows Mail\ParphaCrashReport64.exeTelegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                  file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zipGet hashmaliciousUnknownBrowse
                                                                                                    SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                      SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                        Cbrome1.0.exeGet hashmaliciousUnknownBrowse
                                                                                                          Supe.exeGet hashmaliciousUnknownBrowse
                                                                                                            Cbrome1.0.exeGet hashmaliciousUnknownBrowse
                                                                                                              Supe.exeGet hashmaliciousUnknownBrowse
                                                                                                                7Y18r(111).exeGet hashmaliciousUnknownBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Program Files\Windows Mail\ParphaCrashReport64.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):238384
                                                                                                                  Entropy (8bit):6.278635939854228
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
                                                                                                                  MD5:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                  SHA1:DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
                                                                                                                  SHA-256:E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
                                                                                                                  SHA-512:1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                  • Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse
                                                                                                                  • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Cbrome1.0.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Supe.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Cbrome1.0.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Supe.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 7Y18r(111).exe, Detection: malicious, Browse
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

                                                                                                                  C:\Program Files\Windows Mail\arphaDump64.bin

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):546252
                                                                                                                  Entropy (8bit):6.544089876791732
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYSd:flXDp9HPYlr5d
                                                                                                                  MD5:569E0DDBCE9A40EE38ADDE0D8A8F0BA8
                                                                                                                  SHA1:EB6B5B04820E43CB03D7C1D0EBA920A4B38DBB8B
                                                                                                                  SHA-256:C5400CECFF62C817B87D11A9AEBEFEA76328D491E7A16C382CAB3B1BF3F85232
                                                                                                                  SHA-512:1789DFC328683280BF106E7449414DB4880559D8E6271E9BA5B7BA1E43EECDEAF60880341DBAFE029083F7AA677A3261978706DDCE705998B8384E9F35F4DC64
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

                                                                                                                  C:\Program Files\Windows Mail\arphaDump64.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):287232
                                                                                                                  Entropy (8bit):6.391182582162269
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:qzZrTgN6uyqfkqc53wuY+OrGW2LRKK9+R/BsP3VkxQO6yOxaXLNC3dvMvuTYp:ksxkmyLRKiM/BsNd3yGaXpruT2
                                                                                                                  MD5:1184B14D782403EAF5EB02DFA36777C5
                                                                                                                  SHA1:7C6FBCFC3C26B1BFB232DADCE23F31124468BD72
                                                                                                                  SHA-256:ACC214BCA1EE6212144EC1F45F247389FD81C462C8D4C4D85B323198F911759A
                                                                                                                  SHA-512:B378B9D3A51919654A8C5D56B6359F870EC9C14C7EFB9F56BAB6F547CDF5A45A1A9BE793C2461752196B8BA64C7ED9CDCBE6E34BFFF68A8C05FA8CAA8A96FB5B
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K+...Js..Js..Js.D2p..Js.D2v..Js.D2w..Js...p..Js...w..Js...v.,Js.D2r..Js..Jr.jJs...z..Js...s..Js.....Js...q..Js.Rich.Js.................PE..d....DDg.........." ...*.............^....................................................`..........................................,.......-..<............p..........................p.......................(.......@............................................text...P~.......................... ..`.rdata.............................@..@.data....&...@.......,..............@....pdata.......p.......B..............@..@.rsrc................X..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3198
                                                                                                                  Entropy (8bit):3.559796516107948
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:yei1q9tNTyOXZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTKp+++:tX4diaigVA9ll7dhFF7+
                                                                                                                  MD5:79C8530188472FA4159DE398A9CA797F
                                                                                                                  SHA1:0B8743354489D4460DA39E8E4EF2230E9925F638
                                                                                                                  SHA-256:46722563913B24900DFD02AFD809AE2BBABB5CE420AA81ECBF008F7ACE247F34
                                                                                                                  SHA-512:2079F7EA505FC410028A0D36A408AFE97E0BDED14548EE6448F692FEEF2D55D52CE6EC9DF5A016C6737595275FF6BD5F4D5397F0C128445ED262B75BF4DD7EE5
                                                                                                                  Malicious:false
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .M.a.i.l. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.M.a.i.l.U.p.d.a.t.e.T.a.s.k.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                  Entropy (8bit):6.894629376161817
                                                                                                                  TrID:
                                                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:install.exe
                                                                                                                  File size:23'967'232 bytes
                                                                                                                  MD5:00aa0268a34884bb4fe5dd33045fd936
                                                                                                                  SHA1:48f2340d92ce6249c5e903376d8bfff065c3fa8c
                                                                                                                  SHA256:71f0f0220ff22b380c0df240e60b5ba369557e12477187dbbef3ab77d2c91d81
                                                                                                                  SHA512:22699eb2fbbf7ccab265732142a56c022f8eaf4027591d7dda73edac0402a633dd185a17dd618f222c53fcbb5592e1f2a94bd5b97bfd483c2b88377595159fff
                                                                                                                  SSDEEP:393216:uxBgdryNDYOWG1xutyIp+iUOrMJsv6tWKFdu9Cc2potOSbLq:VOEtr5Xfq
                                                                                                                  TLSH:1837AD0BB2D505E8E476E078DA07C517EBB1B418976097DB25A88AE92F337F06D3B350
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.P.0...0...0...X...0...X..j0....[..0.......0.......0.......1..qE...1..qE...2...X...0...X...0...X...0...0...3..>....0..>....0.

                                                                                                                  File Icon

                                                                                                                  Icon Hash:41b4b2d2ca4a4c33

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x14098a4e0
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x140000000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x674E54FF [Tue Dec 3 00:46:55 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:6
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:6
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:6
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:67f731604820aa24c56db8b1209fe9e8

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  dec eax
                                                                                                                  sub esp, 28h
                                                                                                                  call 00007FC7846AAE0Ch
                                                                                                                  dec eax
                                                                                                                  add esp, 28h
                                                                                                                  jmp 00007FC7846AA07Fh
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  inc eax
                                                                                                                  push ebx
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  dec eax
                                                                                                                  mov ebx, ecx
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA34FCh]
                                                                                                                  call dword ptr [001D10C6h]
                                                                                                                  and dword ptr [ebx], 00000000h
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA34ECh]
                                                                                                                  call dword ptr [001D10AEh]
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA34D7h]
                                                                                                                  dec eax
                                                                                                                  add esp, 20h
                                                                                                                  pop ebx
                                                                                                                  dec eax
                                                                                                                  jmp dword ptr [001D10ABh]
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  inc eax
                                                                                                                  push ebx
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  dec eax
                                                                                                                  mov ebx, ecx
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA34C0h]
                                                                                                                  call dword ptr [001D108Ah]
                                                                                                                  mov eax, dword ptr [00B7E638h]
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA34ADh]
                                                                                                                  mov edx, dword ptr [00BA34AFh]
                                                                                                                  inc eax
                                                                                                                  mov dword ptr [00B7E623h], eax
                                                                                                                  mov dword ptr [ebx], eax
                                                                                                                  dec eax
                                                                                                                  mov eax, dword ptr [00000058h]
                                                                                                                  inc ecx
                                                                                                                  mov ecx, 00000008h
                                                                                                                  dec esp
                                                                                                                  mov eax, dword ptr [eax+edx*8]
                                                                                                                  mov eax, dword ptr [00B7E608h]
                                                                                                                  inc ebx
                                                                                                                  mov dword ptr [ecx+eax], eax
                                                                                                                  call dword ptr [001D1042h]
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00BA346Bh]
                                                                                                                  dec eax
                                                                                                                  add esp, 20h
                                                                                                                  pop ebx
                                                                                                                  dec eax
                                                                                                                  jmp dword ptr [001D103Fh]
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  inc eax
                                                                                                                  push ebx
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  dec eax
                                                                                                                  mov ebx, ecx
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [00000000h]

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x14b23300x1b8.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x16d70000x23cac.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x15360000x87fe4.pdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x16bc0000x1a08c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1481a100x70.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1481c000x28.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14818d00x140.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xb5b0000x18a8.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000xb592100xb594003d07528c978cab15ea688851b487fc17unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0xb5b0000x95c5040x95c60026f06fa4bc29ae0190885022a72ea4fdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .data0x14b80000x7d67c0x6340062d7d572c54d202f3869b9f5edc9d259False0.2241174039672544DOS executable (block device driver)3.971040526563056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .pdata0x15360000x87fe40x88000e44ea5637f19dd8d7158dc22858f18fbFalse0.49319996553308826data6.75803159273911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .xdata0x15be0000xaccec0xace00cedc914f4dd6a1b5ed8c81aa9da47ab9False0.4537590948120029shared library6.222503934047263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .qtmetad0x166b0000x5360x600bfd0a37e057f358d80d1716d9a9abd7eFalse0.24609375data5.0500249701877475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                  .qtmimed0x166c0000x4ece50x4ee002d32d357ab751ffbbb513570c6ee6986False0.997458770800317gzip compressed data, original size modulo 2^32 07.998000978505572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                  _RDATA0x16bb0000x300x200fc2f14d81e335ad78fd3a2189af093b9False0.046875data0.24749732431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x16bc0000x1a08c0x1a200f4d01bf4e605fd0b5af34964cd71089cFalse0.11163651315789473data5.4651223774062325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x16d70000x240000x23e0039ea9e0922cf005619901baa3d9aa8c8False0.20743276350174217data5.388058402415891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0x16d72f40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.39095744680851063
                                                                                                                  RT_ICON0x16d775c0x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.26976744186046514
                                                                                                                  RT_ICON0x16d7e140x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.20778688524590164
                                                                                                                  RT_ICON0x16d879c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16041275797373358
                                                                                                                  RT_ICON0x16d98440x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.24497041420118343
                                                                                                                  RT_ICON0x16db2ac0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.20778008298755188
                                                                                                                  RT_ICON0x16dd8540x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.15446386395843173
                                                                                                                  RT_ICON0x16e1a7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.07485508103631847
                                                                                                                  RT_ICON0x16f22a40x4222PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9747194329592439
                                                                                                                  RT_ICON0x16f64c80x4222PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9747194329592439
                                                                                                                  RT_GROUP_ICON0x16fa6ec0x84dataEnglishUnited States0.7045454545454546
                                                                                                                  RT_VERSION0x16fa7700x2bcdataEnglishUnited States0.4742857142857143
                                                                                                                  RT_MANIFEST0x16faa2c0x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5501567398119123

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllCompareStringW, LCMapStringW, MultiByteToWideChar, FindCloseChangeNotification, FindFirstChangeNotificationW, FindNextChangeNotification, FindFirstFileExW, FindNextFileW, FreeLibrary, GetModuleHandleExW, GetTimeZoneInformation, GetGeoInfoW, GetUserGeoID, GetExitCodeProcess, ReleaseMutex, CreateMutexW, VirtualAlloc, VirtualFree, DeviceIoControl, RtlPcToFileHeader, RaiseException, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringA, SetLastError, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, InitializeCriticalSectionAndSpinCount, CreateActCtxW, ActivateActCtx, DeactivateActCtx, FindActCtxSectionStringW, QueryActCtxW, LoadResource, LockResource, SizeofResource, FindResourceW, GlobalFree, MulDiv, GlobalReAlloc, GlobalHandle, LocalAlloc, LocalReAlloc, lstrcmpA, GlobalGetAtomNameW, GlobalAddAtomW, LockFile, UnlockFile, LoadLibraryExW, lstrcmpiW, GlobalFlags, GlobalDeleteAtom, GlobalFindAtomW, GetVersionExW, FileTimeToLocalFileTime, GetFileTime, SetFileAttributesW, SystemTimeToTzSpecificLocalTime, GetUserDefaultUILanguage, VirtualProtect, lstrcpyW, FindResourceExW, GetWindowsDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetProfileIntW, SearchPathW, GetTempFileNameW, RtlUnwindEx, RtlUnwind, ExitProcess, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetStdHandle, UnregisterWaitEx, ReadConsoleW, GetConsoleCP, GetStdHandle, HeapQueryInformation, VirtualQuery, IsValidLocale, EnumSystemLocalesW, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, GetModuleFileNameW, GetStartupInfoW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetFileAttributesExW, GetUserPreferredUILanguages, GetUserDefaultLCID, GetCurrencyFormatW, GetTimeFormatW, GetDateFormatW, ResetEvent, GetSystemInfo, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, ResumeThread, TerminateThread, GetThreadPriority, SetThreadPriority, GetCurrentThread, CreateThread, WaitForMultipleObjects, Sleep, WaitForSingleObject, DuplicateHandle, GetSystemDirectoryW, CreateEventW, WaitForSingleObjectEx, SetEvent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, OutputDebugStringW, GetLocalTime, GetSystemTime, GetCommandLineW, CompareStringEx, GetFileSize, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetConsoleWindow, GetDriveTypeW, GetVolumeInformationW, GetLongPathNameW, WideCharToMultiByte, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, WriteFile, SetFilePointer, ReadFile, InitializeCriticalSectionEx, GetFileSizeEx, CreateFileW, GetUserDefaultLangID, GetCurrentProcessId, GlobalSize, LoadLibraryA, LoadLibraryW, GetLocaleInfoW, GlobalLock, GlobalUnlock, GlobalAlloc, OpenProcess, CheckRemoteDebuggerPresent, CreateProcessW, CloseHandle, ExpandEnvironmentStringsW, WTSGetActiveConsoleSessionId, FormatMessageW, LocalFree, GetProcAddress, GetModuleHandleW, GetCurrentThreadId, GetLastError, lstrcmpW, SetFilePointerEx, RegisterWaitForSingleObject, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, GetConsoleMode, CopyFileW
                                                                                                                  WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
                                                                                                                  UxTheme.dllIsAppThemed, GetCurrentThemeName, GetThemeSysColor, GetWindowTheme, DrawThemeBackground, DrawThemeParentBackground, DrawThemeText, OpenThemeData, GetThemePartSize, GetThemeColor, GetThemeInt, GetThemeEnumValue, GetThemeMargins, GetThemePropertyOrigin, GetThemeTransitionDuration, CloseThemeData, GetThemeBackgroundRegion, IsThemeBackgroundPartiallyTransparent, GetThemeBool, SetWindowTheme, IsThemeActive
                                                                                                                  dwmapi.dllDwmSetWindowAttribute, DwmIsCompositionEnabled, DwmGetWindowAttribute, DwmEnableBlurBehindWindow
                                                                                                                  IMM32.dllImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow, ImmSetCandidateWindow, ImmGetVirtualKey, ImmGetDefaultIMEWnd, ImmGetContext
                                                                                                                  USERENV.dllGetUserProfileDirectoryW
                                                                                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                  NETAPI32.dllNetApiBufferFree, NetShareEnum
                                                                                                                  WS2_32.dllWSAAsyncSelect
                                                                                                                  WINMM.dllPlaySoundW, timeKillEvent, timeSetEvent
                                                                                                                  MSIMG32.dllAlphaBlend, TransparentBlt
                                                                                                                  gdiplus.dllGdipDrawImageI, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipDeleteGraphics, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateBitmapFromHBITMAP, GdipCreateFromHDC, GdipSetInterpolationMode, GdipGetImagePalette, GdiplusShutdown, GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDisposeImage, GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipDrawImageRectI
                                                                                                                  OLEACC.dllCreateStdAccessibleObject, AccessibleObjectFromWindow, LresultFromObject
                                                                                                                  USER32.dllCheckDlgButton, IsDialogMessageW, PostQuitMessage, DrawTextW, DrawTextExW, GrayStringW, TabbedTextOutW, GetWindowDC, FillRect, InflateRect, CopyImage, SendDlgItemMessageA, SetRectEmpty, OffsetRect, CreateDialogIndirectParamW, EndDialog, GetNextDlgTabItem, MapDialogRect, ShowOwnedPopups, DeleteMenu, IntersectRect, GetNextDlgGroupItem, DrawFocusRect, IsRectEmpty, EnableScrollBar, InvertRect, NotifyWinEvent, GetMenuDefaultItem, GetKeyNameTextW, LoadMenuW, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateW, SetClassLongPtrW, DrawEdge, DrawFrameControl, BringWindowToTop, CopyIcon, FrameRect, DrawIcon, UnionRect, LoadAcceleratorsW, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, PostThreadMessageW, WaitMessage, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, CreateAcceleratorTableW, DestroyAcceleratorTable, CopyAcceleratorTableW, SetRect, LockWindowUpdate, SetMenuDefaultItem, CharUpperBuffW, IsClipboardFormatAvailable, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, GetWindowRgn, MapVirtualKeyW, ToUnicode, ToAscii, GetKeyboardState, GetKeyState, IsZoomed, PeekMessageW, FindWindowA, SetCaretPos, ShowCaret, HideCaret, DestroyCaret, CreateCaret, RegisterWindowMessageW, GetKeyboardLayout, RegisterClipboardFormatW, ChangeClipboardChain, SetClipboardViewer, IsHungAppWindow, LoadIconW, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromWindow, SetMenuItemInfoW, GetMenuItemInfoW, TrackPopupMenu, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, DestroyMenu, CreatePopupMenu, CreateMenu, DrawMenuBar, SetMenu, LoadImageW, GetSysColorBrush, ChildWindowFromPointEx, GetCursorPos, GetFocus, RegisterClassExW, GetClassInfoW, UnregisterClassW, UnregisterPowerSettingNotification, RegisterPowerSettingNotification, GetKeyboardLayoutList, GetAncestor, MonitorFromPoint, DestroyIcon, DestroyCursor, GetWindow, GetWindowThreadProcessId, SetParent, GetParent, SetWindowLongPtrW, GetWindowLongPtrW, SetWindowLongW, GetWindowLongW, ScreenToClient, ClientToScreen, SetCursor, AdjustWindowRectEx, GetWindowRect, GetClientRect, SetWindowTextW, InvalidateRect, SetWindowRgn, GetUpdateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, EnableMenuItem, GetSystemMenu, GetMenu, ReleaseCapture, SetCapture, GetCapture, IsTouchWindow, UnregisterTouchWindow, RegisterTouchWindow, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, FlashWindowEx, SetLayeredWindowAttributes, UpdateLayeredWindow, ShowWindow, IsChild, CreateWindowExW, AttachThreadInput, PostMessageW, SendMessageW, UpdateLayeredWindowIndirect, GetCaretBlinkTime, MessageBeep, IsWindow, GetDoubleClickTime, GetDesktopWindow, GetSysColor, ReleaseDC, GetDC, DestroyWindow, DefWindowProcW, SystemParametersInfoW, GetSystemMetrics, WinHelpW, GetScrollInfo, SetScrollInfo, GetTopWindow, GetClassLongPtrW, EqualRect, CopyRect, MapWindowPoints, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, SetActiveWindow, UpdateWindow, GetDlgItem, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, IsMenu, GetClassInfoExW, CallWindowProcW, GetMessageTime, GetMessagePos, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, CheckMenuItem, RealChildWindowFromPoint, GetClassNameW, PtInRect, GetDlgCtrlID, CharUpperW, GetWindowTextLengthW, CallNextHookEx, SetWindowsHookExW, ValidateRect, GetActiveWindow, GetMessageW, GetLastActivePopup, EnableWindow, UnhookWindowsHookEx, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringW, UnregisterDeviceNotification, RegisterDeviceNotificationW, CharNextExA, KillTimer, SetTimer, MsgWaitForMultipleObjectsEx, GetQueueStatus, DispatchMessageW, TranslateMessage, DrawIconEx, MessageBoxW, ChangeWindowMessageFilterEx, RealGetWindowClassW, EnumWindows, GetWindowTextW, CloseTouchInputHandle, GetTouchInputInfo, GetAsyncKeyState, GetMessageExtraInfo, TrackMouseEvent, GetClipboardFormatNameW, GetCursorInfo, GetIconInfo, CreateIconIndirect, CreateCursor, LoadCursorW, GetCursor, SetCursorPos, EnumDisplayDevicesW, RegisterClassW, IsWindowEnabled, TrackPopupMenuEx, WindowFromPoint
                                                                                                                  GDI32.dllSelectClipRgn, SelectObject, CreateDIBSection, GdiFlush, BitBlt, OffsetRgn, SetLayout, DeleteObject, DeleteDC, CreateRectRgn, CreateCompatibleDC, GetRegionData, GetDeviceCaps, GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, RoundRect, GetRgnBox, Rectangle, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, Ellipse, CreateEllipticRgn, SetDIBColorTable, StretchBlt, SetPixel, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, CreateCompatibleBitmap, CreateDCW, CreateBitmap, ChoosePixelFormat, SetPixelFormat, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, EnumFontFamiliesExW, GetFontData, GetStockObject, AddFontResourceExW, RemoveFontResourceExW, AddFontMemResourceEx, RemoveFontMemResourceEx, GetTextMetricsW, GetTextFaceW, GetCharABCWidthsW, GetCharABCWidthsFloatW, GetGlyphOutlineW, GetOutlineTextMetricsW, GetTextExtentPoint32W, GetCharABCWidthsI, SetBkMode, SetGraphicsMode, SetTextColor, SetTextAlign, SetWorldTransform, ExtTextOutW, GetDIBits, CopyMetaFileW, SetBkColor, CreateHatchBrush, CreatePen, CreatePatternBrush, CreateSolidBrush, Escape, ExcludeClipRect, GetClipBox, GetObjectType, GetPixel, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, ExtSelectClipRgn, SelectPalette, SetMapMode, GetLayout, SetPolyFillMode, SetROP2, MoveToEx, TextOutW, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateRectRgnIndirect, PatBlt, SetRectRgn, DPtoLP, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, CombineRgn
                                                                                                                  WINSPOOL.DRVClosePrinter, DocumentPropertiesW, OpenPrinterW
                                                                                                                  ADVAPI32.dllRegEnumKeyExW, BuildTrusteeWithSidW, GetNamedSecurityInfoW, GetEffectiveRightsFromAclW, LookupAccountSidW, MapGenericMask, GetLengthSid, FreeSid, DuplicateToken, CopySid, AllocateAndInitializeSid, AccessCheck, OpenProcessToken, RegSetValueExW, RegQueryInfoKeyW, RegFlushKey, RegEnumValueW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, GetSidSubAuthorityCount, RegOpenKeyExW, RegQueryValueExW, SystemFunction036, GetSidSubAuthority
                                                                                                                  SHELL32.dllSHGetStockIconInfo, SHGetFileInfoW, ShellExecuteW, SHCreateItemFromIDList, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, SHAppBarMessage, DragFinish, DragQueryFileW, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetKnownFolderPath, CommandLineToArgvW, Shell_NotifyIconGetRect, Shell_NotifyIconW, SHCreateItemFromParsingName
                                                                                                                  ole32.dllCoTaskMemFree, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, DoDragDrop, CoCreateInstance, OleIsCurrentClipboard, OleFlushClipboard, OleGetClipboard, OleSetClipboard, CoInitialize, CoInitializeEx, CoUninitialize, OleUninitialize, OleLockRunning, CreateStreamOnHGlobal, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, CoDisconnectObject, OleDuplicateData, CoTaskMemAlloc, StringFromGUID2, CoCreateGuid, CoGetMalloc, ReleaseStgMedium
                                                                                                                  OLEAUT32.dllVarBstrFromDate, VariantChangeType, VariantCopy, VariantClear, VariantInit, LoadTypeLib, SysAllocString, SafeArrayCreateVector, SafeArrayPutElement, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, SysFreeString, SysAllocStringLen
                                                                                                                  SHLWAPI.dllPathFindExtensionW, PathRemoveFileSpecW, PathIsUNCW, PathFindFileNameW, StrFormatKBSizeW, PathStripToRootW

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 7, 2024 03:56:04.515686035 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:04.635535955 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:04.635616064 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:04.635767937 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:04.755443096 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:06.194259882 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:06.199033022 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:06.246927977 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:06.314088106 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:06.314584970 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:06.316215992 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:06.435930967 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:06.471370935 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:06.591289997 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:07.890440941 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:07.934429884 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:07.980576038 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:08.100234032 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:16.606311083 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:16.726035118 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:18.106288910 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:18.226058006 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:26.731450081 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:26.851135969 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:28.231303930 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:28.351006985 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:36.856323004 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:36.976008892 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:38.356347084 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:38.476001978 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:46.981364012 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:47.101231098 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:48.481303930 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:48.601016045 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:57.106342077 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:57.226037025 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:56:58.606340885 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:56:58.726170063 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:07.231384039 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:07.351130009 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:07.773758888 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:07.893523932 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:08.731332064 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:08.851032972 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:09.786475897 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:09.906327963 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:17.903251886 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:18.024707079 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:19.918869972 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:20.038572073 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:28.028239012 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:28.147993088 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:30.043864012 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:30.163578987 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:38.153275013 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:38.272902012 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:40.168878078 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:40.288666010 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:48.278253078 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:48.397883892 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:50.293963909 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:50.413652897 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:57:58.403328896 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:57:58.522984982 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:58:00.418863058 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:58:00.538508892 CET804973418.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:58:08.528254032 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:58:08.559958935 CET4973280192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:58:08.560004950 CET4973480192.168.2.418.166.104.207
                                                                                                                  Dec 7, 2024 03:58:08.647878885 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:58:08.679800034 CET804973218.166.104.207192.168.2.4
                                                                                                                  Dec 7, 2024 03:58:08.679894924 CET804973418.166.104.207192.168.2.4

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.44973218.166.104.207806252C:\Windows\System32\svchost.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 7, 2024 03:56:04.635767937 CET56OUTData Raw: 00 1a 2b 1e 0d 00 18 0c 08 0d 08 1a 2d 28 0a 0c 1d 22 23 15 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                  Data Ascii: +-("#::::::::::::::::::::::::::::::::=8
                                                                                                                  Dec 7, 2024 03:56:06.199033022 CET85INData Raw: 2a 13 0b 09 06 1d 29 12 2b 24 10 22 06 0d 0a 10 11 20 0c 13 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 40 9a 03 08 99 ac a8 09 00 b5
                                                                                                                  Data Ascii: *)+$" ::::::::::::::::;:::^:::':::::::=8xcVV@w
                                                                                                                  Dec 7, 2024 03:56:06.471370935 CET805OUTData Raw: 2a 13 0b 09 06 1d 29 12 2b 24 10 22 06 0d 0a 10 11 20 0c 13 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 46 13 3a 3a d7 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 4d 6f da 40 10 ad c8 85 04 9a e6 c0 21 42 51 55 45 55 55 55 55 4f
                                                                                                                  Data Ascii: *)+$" ::::::::::::::::;:::F::8::::::=8xXMo@!BQUEUUUUO=SH)5Q)B"(fL?@k;fgwB;FZof2Em'y%b#-_Ry6Mr%(d}lq&u.#bOs\hhI{])).qGh>-gr
                                                                                                                  Dec 7, 2024 03:56:16.606311083 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:26.731450081 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:36.856323004 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:46.981364012 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:57.106342077 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:57:07.231384039 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:57:07.773758888 CET642OUTData Raw: 2d 17 2e 03 1b 18 1c 0e 02 1c 16 2d 0e 0f 20 28 2f 07 1a 2c 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 8e 1b 3a 3a 70 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 41 6b 1a 51 10 86 9e 02 85 92 43 0e 41 42 29 d2 94 50 4a c9 a1 a7
                                                                                                                  Data Ascii: -.- (/,::::::::::::::::2::::p8::::::=8xXAkQCAB)PJJew1uE]C[1#fQFf7o{OBr!FUTCuv=zq!k-w\Hy;}=JuDhuZvmz@Rj!}rD|i 0ekW LM


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.44973418.166.104.207807204C:\Windows\System32\svchost.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 7, 2024 03:56:06.316215992 CET56OUTData Raw: 2a 13 0b 09 06 1d 29 12 2b 24 10 22 06 0d 0a 10 11 20 0c 13 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                  Data Ascii: *)+$" ::::::::::::::::::::::::::::::::=8
                                                                                                                  Dec 7, 2024 03:56:07.890440941 CET85INData Raw: 2d 0b 18 0b 2b 2e 0e 13 1a 2c 18 2a 28 11 2a 24 25 27 29 28 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 40 9a 03 08 99 ac a8 09 00 b5
                                                                                                                  Data Ascii: -+.,*(*$%')(::::::::::::::::;:::^:::':::::::=8xcVV@w
                                                                                                                  Dec 7, 2024 03:56:07.980576038 CET802OUTData Raw: 2e 1f 03 28 0c 24 01 12 1a 20 1c 2e 1d 03 1a 0e 27 19 07 07 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5a 13 3a 3a d0 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 4d 6f da 40 10 ad c8 c5 09 34 cd 81 43 84 a2 aa 8a aa aa aa aa 9e
                                                                                                                  Data Ascii: .($ .'::::::::::::::::;:::Z::8::::::=8xXMo@4Czz*"|Q)B*(fL?@kw]l#jI.7eKi"0aD}$ECJxK]lM)Q@"N CKWeuy{FGKKNV'Nq3<B_(-i9S
                                                                                                                  Dec 7, 2024 03:56:18.106288910 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:28.231303930 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:38.356347084 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:48.481303930 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:56:58.606340885 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:57:08.731332064 CET6OUTData Raw: 00
                                                                                                                  Data Ascii:
                                                                                                                  Dec 7, 2024 03:57:09.786475897 CET642OUTData Raw: 24 0c 0e 22 1c 05 2d 0f 2d 24 1e 05 13 13 20 0c 23 25 17 15 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 8e 1b 3a 3a 70 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 41 6b 1a 51 10 86 9e 02 85 92 43 0e 41 42 29 d2 94 50 4a c9 a1 a7
                                                                                                                  Data Ascii: $"--$ #%::::::::::::::::2::::p8::::::=8xXAkQCAB)PJJew1uE]C[1#fQFf7o{OBr!FUTCuv=zq!k-w\Hy;}=JuDhuZvmz@Rj!}rD|i 0ekW LM


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:21:56:00
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\install.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\install.exe"
                                                                                                                  Imagebase:0x7ff695100000
                                                                                                                  File size:23'967'232 bytes
                                                                                                                  MD5 hash:00AA0268A34884BB4FE5DD33045FD936
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:21:56:01
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:21:56:02
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:21:56:03
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
                                                                                                                  Imagebase:0x7ff656dd0000
                                                                                                                  File size:238'384 bytes
                                                                                                                  MD5 hash:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 4%, ReversingLabs
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:21:56:03
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Windows\System32\dllhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                  Imagebase:0x7ff70f330000
                                                                                                                  File size:21'312 bytes
                                                                                                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:21:56:04
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:21:56:04
                                                                                                                  Start date:06/12/2024
                                                                                                                  Path:C:\Windows\System32\dllhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                  Imagebase:0x7ff70f330000
                                                                                                                  File size:21'312 bytes
                                                                                                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:false

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                    Signature Coverage:76.4%
                                                                                                                    Total number of Nodes:110
                                                                                                                    Total number of Limit Nodes:4
                                                                                                                    execution_graph 13595 1800080f2 VirtualAllocEx WriteProcessMemory 13596 180008273 memset memcpy NtAlpcConnectPort 13595->13596 13598 18000a8b2 WriteProcessMemory 13599 18000a939 13598->13599 13600 180005824 realloc NtQuerySystemInformation 13601 1800054d5 13602 180005524 DuplicateHandle 13601->13602 13603 1800055a7 13602->13603 13604 180005a0d GetProcessId 13605 180005a8c 13604->13605 13610 180008e30 RtlAdjustPrivilege 13611 180008eb4 13610->13611 13612 180008eaf 13610->13612 13615 180112660 13611->13615 13614 180008eb9 13617 180112669 13615->13617 13616 180112674 13616->13614 13617->13616 13618 180112a14 IsProcessorFeaturePresent 13617->13618 13619 180112a2c 13618->13619 13622 180112ae8 RtlCaptureContext 13619->13622 13621 180112a3f 13621->13614 13623 180112b02 RtlLookupFunctionEntry 13622->13623 13624 180112b51 13623->13624 13625 180112b18 RtlVirtualUnwind 13623->13625 13624->13621 13625->13623 13625->13624 13626 180009bc0 VirtualAllocEx 13627 180009da0 13626->13627 13628 180001920 memset GetModuleFileNameW wcsstr 13629 1800019a8 13628->13629 13630 18000197a IsUserAnAdmin 13628->13630 13661 180001010 malloc 13629->13661 13631 180001984 13630->13631 13634 180001995 13630->13634 13640 1800015b0 13631->13640 13637 18000199f ExitProcess 13634->13637 13637->13629 13638 180112660 4 API calls 13639 1800019c0 13638->13639 13641 1800015db malloc 13640->13641 13642 180001893 13640->13642 13641->13642 13644 1800015f7 memcpy malloc 13641->13644 13643 180112660 4 API calls 13642->13643 13645 18000190e ExitProcess 13643->13645 13644->13642 13646 180001625 memset 13644->13646 13645->13634 13647 180001656 13646->13647 13648 18000165b 13646->13648 13649 18000169b memset GetModuleFileNameW malloc 13647->13649 13648->13647 13651 180001682 memcpy 13648->13651 13649->13642 13650 1800016df memset memcpy 13649->13650 13652 180001720 13650->13652 13651->13649 13652->13652 13653 180001773 OpenSCManagerW 13652->13653 13653->13642 13654 18000179b EnumServicesStatusExW malloc 13653->13654 13654->13642 13655 1800017f4 memset EnumServicesStatusExW 13654->13655 13656 180001845 CloseServiceHandle free 13655->13656 13657 180001856 CloseServiceHandle 13655->13657 13656->13642 13657->13642 13658 180001865 13657->13658 13658->13642 13659 180001870 lstrcmpiW 13658->13659 13659->13658 13660 180001895 free 13659->13660 13660->13642 13662 18000104e 13661->13662 13666 180001568 13661->13666 13665 1800010c4 malloc 13662->13665 13663 180112660 4 API calls 13664 18000159f 13663->13664 13664->13638 13665->13666 13667 1800010db memcpy memcpy 13665->13667 13666->13663 13668 180001120 13667->13668 13668->13666 13669 180001195 memset wsprintfW CreateFileW 13668->13669 13670 180001212 GetLastError 13669->13670 13671 18000121a WriteFile 13669->13671 13672 18000124c Sleep memset wsprintfW CreateFileW 13670->13672 13673 180001243 CloseHandle 13671->13673 13674 18000123d GetLastError 13671->13674 13675 1800012c4 GetLastError 13672->13675 13676 1800012cc WriteFile 13672->13676 13673->13672 13674->13673 13677 1800012fe Sleep memset wsprintfW CreateFileW 13675->13677 13678 1800012f5 CloseHandle 13676->13678 13679 1800012ef GetLastError 13676->13679 13680 180001376 GetLastError 13677->13680 13681 18000137e WriteFile 13677->13681 13678->13677 13679->13678 13682 1800013ac Sleep 13680->13682 13683 1800013a3 CloseHandle 13681->13683 13684 18000139d GetLastError 13681->13684 13682->13666 13685 1800013c1 VirtualAlloc 13682->13685 13683->13682 13684->13683 13685->13666 13686 1800013e6 memcpy CreateThread 13685->13686 13698 180001a10 CoInitialize 13686->13698 13689 180001523 memset memcpy CreateThread 13689->13666 13690 180001430 VariantInit 13691 180001498 13690->13691 13692 18000149c SysAllocString 13691->13692 13693 1800014be GetLastError 13691->13693 13695 1800014ba 13692->13695 13694 1800014c4 13693->13694 13694->13689 13696 1800014ca memset wsprintfW 13694->13696 13695->13693 13695->13694 13706 180001d60 13696->13706 13699 180001b50 13698->13699 13699->13699 13700 180001cae CLSIDFromString 13699->13700 13701 180001d04 IIDFromString 13700->13701 13702 180001d3b 13700->13702 13701->13702 13703 180001d17 CoCreateInstance 13701->13703 13704 180112660 4 API calls 13702->13704 13703->13702 13705 180001423 13704->13705 13705->13689 13705->13690 13707 180001da5 SysAllocString 13706->13707 13718 18000206a 13706->13718 13708 180001dbb 13707->13708 13711 180001dd9 SysAllocString SysAllocString 13708->13711 13708->13718 13709 180112660 4 API calls 13710 180002086 13709->13710 13710->13689 13712 180001e08 13711->13712 13713 180001f1f IIDFromString 13712->13713 13712->13718 13714 180001f4c 13713->13714 13715 180001f5e SysAllocString SysAllocString 13714->13715 13714->13718 13716 180001f88 13715->13716 13717 180001fd9 VariantInit SysAllocString 13716->13717 13716->13718 13717->13718 13718->13709

                                                                                                                    Executed Functions

                                                                                                                    Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211servicestringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                    • String ID: Schedule
                                                                                                                    • API String ID: 3636854120-2739827629
                                                                                                                    • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                    • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                    • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                    • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700
                                                                                                                    Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147memorynativeinjectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • 0, xrefs: 000000018000828B
                                                                                                                    • Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
                                                                                                                    • String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
                                                                                                                    • API String ID: 2322259470-3460289035
                                                                                                                    • Opcode ID: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                    • Instruction ID: a438414d86da3f9fa76c6e2917a93b97ec5bb287934b9f4f7f73d30ebcaf7dce
                                                                                                                    • Opcode Fuzzy Hash: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                    • Instruction Fuzzy Hash: 6D713DB5324EC891EBA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700
                                                                                                                    Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 47 180009bc0-180009d4a VirtualAllocEx 48 180009da0-180009da9 47->48 49 180009db1-180009e16 48->49 50 180009dab 48->50 50->49
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4275171209-2766056989
                                                                                                                    • Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                    • Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
                                                                                                                    • Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                    • Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700
                                                                                                                    Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 54 180005824-1800058d4 realloc NtQuerySystemInformation
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationQuerySystemrealloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4089764311-0
                                                                                                                    • Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                    • Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
                                                                                                                    • Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                    • Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700
                                                                                                                    Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 55 1800054d5-1800055a1 DuplicateHandle 57 1800055a7 55->57 58 1800069ad 55->58 57->58
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                    • Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
                                                                                                                    • Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                    • Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704
                                                                                                                    Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                    • String ID: svchost.exe
                                                                                                                    • API String ID: 2075570005-3106260013
                                                                                                                    • Opcode ID: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                    • Instruction ID: bee279387a080e4ef1cf93fe2260fe9373c10eb3ce040ed65f2ee5617e8a23f3
                                                                                                                    • Opcode Fuzzy Hash: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                    • Instruction Fuzzy Hash: 87019631310A4C81FBAADB21E4A93DA6360BB8C795F449025A95E46695DF3CC34CC740
                                                                                                                    Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 51 18000ad3e-18000adcc VirtualAllocEx 52 18000add5 51->52 53 18000adce 51->53 53->52
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4275171209-2766056989
                                                                                                                    • Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                    • Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
                                                                                                                    • Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                    • Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304
                                                                                                                    Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 59 18000a9be-18000aa4b VirtualAllocEx 60 18000aa51 59->60 61 18000b194 59->61 60->61
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4275171209-0
                                                                                                                    • Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                    • Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
                                                                                                                    • Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                    • Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304
                                                                                                                    Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustPrivilege
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3260937286-0
                                                                                                                    • Opcode ID: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                    • Instruction ID: 04bb496a426d1b43e6b52f20395e61ae4e41d159ec3593a713d9b4970c529e46
                                                                                                                    • Opcode Fuzzy Hash: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                    • Instruction Fuzzy Hash: A5F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43764CE3DC2158B00
                                                                                                                    Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 67 180005a0d-180005a86 GetProcessId 68 1800069ba 67->68 69 180005a8c 67->69 69->68
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1235230986-0
                                                                                                                    • Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                    • Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
                                                                                                                    • Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                    • Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704
                                                                                                                    Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31injectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 70 18000af22-18000afa4 WriteProcessMemory 71 18000afaa 70->71 72 18000b1a0 70->72 71->72
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3559483778-0
                                                                                                                    • Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                    • Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
                                                                                                                    • Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                    • Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304
                                                                                                                    Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 73 18000a8b2-18000a937 WriteProcessMemory 74 18000a939 73->74 75 18000a940 73->75 74->75
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3559483778-0
                                                                                                                    • Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                    • Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
                                                                                                                    • Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                    • Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304
                                                                                                                    Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 76 18000b100-18000b183 WriteProcessMemory 77 18000b185 76->77 78 18000b18c 76->78 77->78
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3559483778-0
                                                                                                                    • Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                    • Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
                                                                                                                    • Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                    • Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filesleepmemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 79 180001010-180001048 malloc 80 18000104e-18000107d call 180113300 79->80 81 180001590-1800015a9 call 180112660 79->81 86 180001084-18000108c 80->86 87 18000107f-180001082 80->87 89 180001093-1800010a4 86->89 90 18000108e-180001091 86->90 88 1800010c4-1800010d5 malloc 87->88 93 180001578-180001588 88->93 94 1800010db-180001116 memcpy * 2 88->94 91 1800010a6-1800010a9 89->91 92 1800010ab-1800010be call 180113336 89->92 90->88 91->88 92->88 93->81 96 180001120-18000116c 94->96 96->96 98 18000116e-18000117a 96->98 99 180001180-18000118b 98->99 99->99 100 18000118d-18000118f 99->100 100->93 101 180001195-180001210 memset wsprintfW CreateFileW 100->101 102 180001212-180001218 GetLastError 101->102 103 18000121a-18000123b WriteFile 101->103 104 18000124c-1800012c2 Sleep memset wsprintfW CreateFileW 102->104 105 180001243-180001246 CloseHandle 103->105 106 18000123d GetLastError 103->106 107 1800012c4-1800012ca GetLastError 104->107 108 1800012cc-1800012ed WriteFile 104->108 105->104 106->105 109 1800012fe-180001374 Sleep memset wsprintfW CreateFileW 107->109 110 1800012f5-1800012f8 CloseHandle 108->110 111 1800012ef GetLastError 108->111 112 180001376-18000137c GetLastError 109->112 113 18000137e-18000139b WriteFile 109->113 110->109 111->110 114 1800013ac-1800013bb Sleep 112->114 115 1800013a3-1800013a6 CloseHandle 113->115 116 18000139d GetLastError 113->116 117 1800013c1-1800013e0 VirtualAlloc 114->117 118 180001568-180001570 114->118 115->114 116->115 117->118 119 1800013e6-18000142a memcpy CreateThread call 180001a10 117->119 118->93 122 180001523-180001562 memset memcpy CreateThread 119->122 123 180001430-18000149a VariantInit 119->123 122->118 125 18000149c-1800014bc SysAllocString 123->125 126 1800014be GetLastError 123->126 125->126 127 1800014c4-1800014c8 125->127 126->127 127->122 129 1800014ca-18000151e memset wsprintfW call 180001d60 127->129 129->122
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                    • String ID: %s\%s$\Microsoft\Windows
                                                                                                                    • API String ID: 1085075972-4137575348
                                                                                                                    • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                    • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                    • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                    • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700
                                                                                                                    Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 131 180001a10-180001b4f CoInitialize 132 180001b50-180001b5c 131->132 132->132 133 180001b5e-180001c9b 132->133 134 180001ca0-180001cac 133->134 134->134 135 180001cae-180001d02 CLSIDFromString 134->135 136 180001d04-180001d15 IIDFromString 135->136 137 180001d3b-180001d5a call 180112660 135->137 136->137 138 180001d17-180001d39 CoCreateInstance 136->138 138->137
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromString$CreateInitializeInstance
                                                                                                                    • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                    • API String ID: 511945936-2205580742
                                                                                                                    • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                    • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                    • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                    • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                    Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$FromInitVariant
                                                                                                                    • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                    • API String ID: 929278495-107290059
                                                                                                                    • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                    • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                    • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                    • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                    Function 0000000180028464 Relevance: 14.7, APIs: 9, Instructions: 1208COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 808467561-0
                                                                                                                    • Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                    • Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
                                                                                                                    • Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                    • Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00
                                                                                                                    Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
                                                                                                                    • API String ID: 0-3440571002
                                                                                                                    • Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                    • Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
                                                                                                                    • Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                    • Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700
                                                                                                                    Function 0000000180016D88 Relevance: 7.0, Strings: 5, Instructions: 783COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionThrow
                                                                                                                    • String ID: __restrict$__swift_1$__swift_2$__unaligned$call
                                                                                                                    • API String ID: 432778473-3141380587
                                                                                                                    • Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                    • Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
                                                                                                                    • Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                    • Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700
                                                                                                                    Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfffffff
                                                                                                                    • API String ID: 3215553584-1523873471
                                                                                                                    • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                    • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                    Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
                                                                                                                    • API String ID: 0-638001070
                                                                                                                    • Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                    • Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
                                                                                                                    • Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                    • Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704
                                                                                                                    Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
                                                                                                                    • API String ID: 0-1160837885
                                                                                                                    • Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                    • Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
                                                                                                                    • Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                    • Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704
                                                                                                                    Function 0000000180028038 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy_s
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1502251526-0
                                                                                                                    • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                    • Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
                                                                                                                    • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                    • Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00
                                                                                                                    Function 000000018001FED8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: 0$ko-KR
                                                                                                                    • API String ID: 3215553584-2196303776
                                                                                                                    • Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                    • Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
                                                                                                                    • Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                    • Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705
                                                                                                                    Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0$p
                                                                                                                    • API String ID: 0-2059906072
                                                                                                                    • Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                    • Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
                                                                                                                    • Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                    • Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700
                                                                                                                    Function 0000000180024EB0 Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3215553584-0
                                                                                                                    • Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                    • Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
                                                                                                                    • Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                    • Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304
                                                                                                                    Function 000000018002C080 Relevance: 1.7, APIs: 1, Instructions: 232COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _clrfp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3618594692-0
                                                                                                                    • Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                    • Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
                                                                                                                    • Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                    • Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701
                                                                                                                    Function 0000000180010F18 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionThrow
                                                                                                                    • String ID: l section in CAtlBaseModule
                                                                                                                    • API String ID: 432778473-2709337986
                                                                                                                    • Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                    • Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
                                                                                                                    • Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                    • Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700
                                                                                                                    Function 00000001800180EE Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: __restrict
                                                                                                                    • API String ID: 0-803856930
                                                                                                                    • Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                    • Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
                                                                                                                    • Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                    • Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340
                                                                                                                    Function 000000018001FC0C Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                                    • Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                    • Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
                                                                                                                    • Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                    • Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745
                                                                                                                    Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
                                                                                                                    • API String ID: 0-3963691810
                                                                                                                    • Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                    • Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
                                                                                                                    • Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                    • Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300
                                                                                                                    Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ncalrpc
                                                                                                                    • API String ID: 0-2983622238
                                                                                                                    • Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                    • Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
                                                                                                                    • Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                    • Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700
                                                                                                                    Function 0000000180014848 Relevance: .5, Instructions: 511COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                    • Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
                                                                                                                    • Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                    • Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354
                                                                                                                    Function 000000018000DEE8 Relevance: .4, Instructions: 368COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                    • Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
                                                                                                                    • Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                    • Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700
                                                                                                                    Function 0000000180029E8C Relevance: .3, Instructions: 325COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                    • Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
                                                                                                                    • Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                    • Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700
                                                                                                                    Function 00000001800151E8 Relevance: .2, Instructions: 228COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                    • Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
                                                                                                                    • Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                    • Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00
                                                                                                                    Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                    • Instruction ID: 30b487c4dbfd5edb157edb9dd0446cf9089909246d75a709a71c41256c183c41
                                                                                                                    • Opcode Fuzzy Hash: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                    • Instruction Fuzzy Hash: 4F410672B10A5886EB14CF64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700
                                                                                                                    Function 000000018000469C Relevance: .1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                    • Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
                                                                                                                    • Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                    • Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304
                                                                                                                    Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                    • Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
                                                                                                                    • Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                    • Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700
                                                                                                                    Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                    • Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
                                                                                                                    • Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                    • Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300
                                                                                                                    Function 0000000180021F44 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                    • Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
                                                                                                                    • Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                    • Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300
                                                                                                                    Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                    • Instruction ID: 9b73b6c5183f860324fa61cee2baeb0ca0f8f8b507aed4a99a4e0eda6c344d24
                                                                                                                    • Opcode Fuzzy Hash: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                    • Instruction Fuzzy Hash: 984103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A58DF38C246C300
                                                                                                                    Function 000000018001AA6C Relevance: .1, Instructions: 111COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                    • Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
                                                                                                                    • Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                    • Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00
                                                                                                                    Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                    • Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
                                                                                                                    • Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                    • Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740
                                                                                                                    Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                    • Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
                                                                                                                    • Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                    • Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340
                                                                                                                    Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                    • Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
                                                                                                                    • Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                    • Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740
                                                                                                                    Function 000000018000BEB0 Relevance: .1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                    • Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
                                                                                                                    • Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                    • Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700
                                                                                                                    Function 000000018000B620 Relevance: .1, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                    • Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
                                                                                                                    • Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                    • Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700
                                                                                                                    Function 000000018000C370 Relevance: .1, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                    • Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
                                                                                                                    • Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                    • Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341
                                                                                                                    Function 000000018000435B Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                    • Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
                                                                                                                    • Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                    • Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740
                                                                                                                    Function 000000018000947B Relevance: .1, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                    • Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
                                                                                                                    • Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                    • Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304
                                                                                                                    Function 0000000180004153 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                    • Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
                                                                                                                    • Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                    • Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304
                                                                                                                    Function 000000018000B280 Relevance: .1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                    • Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
                                                                                                                    • Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                    • Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304
                                                                                                                    Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                    • Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
                                                                                                                    • Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                    • Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700
                                                                                                                    Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                    • Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
                                                                                                                    • Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                    • Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300
                                                                                                                    Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                    • Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
                                                                                                                    • Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                    • Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700
                                                                                                                    Function 0000000180003833 Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                    • Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
                                                                                                                    • Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                    • Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300
                                                                                                                    Function 0000000180002666 Relevance: .1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                    • Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
                                                                                                                    • Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                    • Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300
                                                                                                                    Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                    • Instruction ID: 7d1135aa24797edbf35de8feb47ffd13e3235087d5b84f893e072cfd3e31e24b
                                                                                                                    • Opcode Fuzzy Hash: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                    • Instruction Fuzzy Hash: D1118EA271498C46FB96DBB4F969BD76322EB4C3A9F80A012DD0D07A55DD3CC24AC700
                                                                                                                    Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                    • Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
                                                                                                                    • Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                    • Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300
                                                                                                                    Function 0000000180003717 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                    • Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
                                                                                                                    • Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                    • Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700
                                                                                                                    Function 000000018000290C Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                    • Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
                                                                                                                    • Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                    • Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700
                                                                                                                    Function 0000000180002170 Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                    • Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
                                                                                                                    • Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                    • Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300
                                                                                                                    Function 000000018000360B Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                    • Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
                                                                                                                    • Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                    • Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700
                                                                                                                    Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                    • Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
                                                                                                                    • Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                    • Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744
                                                                                                                    Function 0000000180002777 Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                    • Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
                                                                                                                    • Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                    • Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304
                                                                                                                    Function 000000018000225E Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                    • Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
                                                                                                                    • Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                    • Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300
                                                                                                                    Function 000000018000284D Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                    • Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
                                                                                                                    • Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                    • Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340
                                                                                                                    Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                    • Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
                                                                                                                    • Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                    • Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340
                                                                                                                    Function 0000000180003530 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                    • Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
                                                                                                                    • Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                    • Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700
                                                                                                                    Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                    • Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
                                                                                                                    • Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                    • Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300
                                                                                                                    Function 0000000180003464 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                    • Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
                                                                                                                    • Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                    • Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700
                                                                                                                    Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                    • Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
                                                                                                                    • Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                    • Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304
                                                                                                                    Function 0000000180003880 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                    • Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
                                                                                                                    • Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                    • Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300
                                                                                                                    Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                    • Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
                                                                                                                    • Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                    • Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300
                                                                                                                    Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                    • Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
                                                                                                                    • Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                    • Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304
                                                                                                                    Function 000000018002BBA8 Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                    • Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
                                                                                                                    • Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                    • Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04
                                                                                                                    Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1326835672-0
                                                                                                                    • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                    • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                    Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                    • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                    • API String ID: 2273495996-2419032777
                                                                                                                    • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                    • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                    Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _set_statfp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1156100317-0
                                                                                                                    • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                    • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                    Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: *$ko-KR
                                                                                                                    • API String ID: 3215553584-1095117856
                                                                                                                    • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                    • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                    Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: __swift_1$__swift_2
                                                                                                                    • API String ID: 0-2914474356
                                                                                                                    • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                    • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                    Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfff$o-l1-2-1
                                                                                                                    • API String ID: 3215553584-1082851355
                                                                                                                    • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                    • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                    Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                    • API String ID: 3215553584-688204690
                                                                                                                    • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                    • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                    Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                    • String ID: csm
                                                                                                                    • API String ID: 3780691363-1018135373
                                                                                                                    • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                    • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                    Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __std_exception_copy
                                                                                                                    • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                    • API String ID: 592178966-1611991873
                                                                                                                    • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                    • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                    Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1699492353.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.1699401767.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700381156.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700409415.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.1700438990.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_install.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                    • String ID: File
                                                                                                                    • API String ID: 932687459-749574446
                                                                                                                    • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                    • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:51.2%
                                                                                                                    Total number of Nodes:379
                                                                                                                    Total number of Limit Nodes:38
                                                                                                                    execution_graph 45462 1845c4e2140 45543 1845c4fb990 VirtualAlloc 45462->45543 45464 1845c4e2156 45550 1845c4fd340 GetModuleHandleW 45464->45550 45466 1845c4e215b WSAStartup 45467 1845c4e2175 45466->45467 45497 1845c4e236b 45466->45497 45560 1845c4fd7d0 CoInitializeEx 45467->45560 45469 1845c4e219a GetCommandLineW CommandLineToArgvW 45570 1845c4eafc0 VirtualAlloc 45469->45570 45472 1845c4e21e3 InitializeCriticalSection 45473 1845c4e21f4 VirtualAlloc 45472->45473 45474 1845c4e221a InitializeCriticalSection 45473->45474 45475 1845c4e222b memset GetCurrentProcessId 45473->45475 45474->45475 45581 1845c4fc950 memset CreateToolhelp32Snapshot 45475->45581 45478 1845c4e2273 lstrcmpiW 45480 1845c4e2289 45478->45480 45481 1845c4e2297 lstrcmpiW 45478->45481 45479 1845c4e226e 45479->45478 45712 1845c4e2830 GetModuleHandleW GetModuleHandleW GetModuleHandleW VirtualProtect VirtualProtect 45480->45712 45483 1845c4e22be lstrcmpiW 45481->45483 45484 1845c4e22ad GetCurrentProcess TerminateProcess 45481->45484 45486 1845c4e23e0 45483->45486 45487 1845c4e22d8 45483->45487 45484->45483 45485 1845c4e228e ExitThread 45489 1845c4e23ed memset GetModuleFileNameW wcsstr 45486->45489 45490 1845c4e25c7 lstrcmpiW 45486->45490 45588 1845c4fd140 OpenSCManagerW 45487->45588 45494 1845c4e2473 memset GetModuleFileNameW IsUserAnAdmin 45489->45494 45495 1845c4e242f GetNativeSystemInfo 45489->45495 45491 1845c4e25e0 45490->45491 45492 1845c4e2697 45490->45492 45496 1845c4e25ed lstrcmpiW 45491->45496 45491->45497 45721 1845c4e2000 103 API calls 45492->45721 45503 1845c4e24a6 45494->45503 45504 1845c4e24b7 45494->45504 45501 1845c4e2642 45495->45501 45502 1845c4e245b 45495->45502 45496->45492 45505 1845c4e2606 GetNativeSystemInfo 45496->45505 45499 1845c4e23a1 CreateThread 45499->45499 45508 1845c4e23c7 WaitForSingleObject CloseHandle 45499->45508 45500 1845c4e22f4 45597 1845c4fca60 CreateToolhelp32Snapshot 45500->45597 45509 1845c4fd140 10 API calls 45501->45509 45502->45501 45511 1845c4e2465 45502->45511 45517 1845c4e2681 GetCurrentProcess TerminateProcess 45503->45517 45715 1845c4f0e40 16 API calls 45504->45715 45505->45501 45512 1845c4e262e 45505->45512 45508->45499 45514 1845c4e264e 45509->45514 45714 1845c4e26b0 84 API calls 45511->45714 45512->45501 45518 1845c4e2634 45512->45518 45513 1845c4e24c3 45716 1845c4f0fa0 41 API calls 45513->45716 45520 1845c4e267c 45514->45520 45521 1845c4e2654 45514->45521 45515 1845c4e2300 45522 1845c4e2330 45515->45522 45523 1845c4e2304 OpenProcess 45515->45523 45517->45497 45719 1845c4e26b0 84 API calls 45518->45719 45720 1845c4e26b0 84 API calls 45520->45720 45608 1845c4f0680 VirtualAlloc 45521->45608 45533 1845c4e233d WaitForSingleObject GetExitCodeProcess 45522->45533 45534 1845c4e2394 Sleep 45522->45534 45713 1845c4e26b0 84 API calls 45522->45713 45523->45522 45529 1845c4e231c TerminateProcess CloseHandle 45523->45529 45524 1845c4e246a ExitProcess 45527 1845c4e24d6 45717 1845c4fd2a0 8 API calls 45527->45717 45529->45522 45531 1845c4e2639 ExitProcess 45533->45497 45533->45522 45534->45522 45535 1845c4e24e2 memset wsprintfW 45718 1845c4d1070 45535->45718 45544 1845c4fb9cf memcpy 45543->45544 45545 1845c4fbc0e 45543->45545 45544->45545 45546 1845c4fb9fa VirtualAlloc 45544->45546 45545->45464 45546->45545 45547 1845c4fba1e memcpy memcpy 45546->45547 45548 1845c4fba90 45547->45548 45548->45548 45549 1845c4fbaff memset ExpandEnvironmentStringsW memset 45548->45549 45549->45464 45551 1845c4fd590 45550->45551 45552 1845c4fd371 GetCurrentProcess K32GetModuleInformation memset GetSystemDirectoryW 45550->45552 45551->45466 45553 1845c4fd3c5 lstrcatW CreateFileW 45552->45553 45554 1845c4fd57d 45552->45554 45555 1845c4fd415 CreateFileMappingW 45553->45555 45557 1845c4fd538 45553->45557 45554->45466 45556 1845c4fd43c MapViewOfFile 45555->45556 45555->45557 45556->45557 45558 1845c4fd469 45556->45558 45557->45466 45558->45557 45559 1845c4fd4d5 VirtualProtect memcpy VirtualProtect 45558->45559 45559->45558 45561 1845c4fd8c5 45560->45561 45562 1845c4fd82e CoCreateInstance 45560->45562 45561->45469 45563 1845c4fd86e CoUninitialize 45562->45563 45564 1845c4fd84f 45562->45564 45563->45469 45565 1845c4fd864 45564->45565 45566 1845c4fd87a SysAllocString 45564->45566 45565->45563 45567 1845c4fd89d SysFreeString 45566->45567 45568 1845c4fd8b0 CoUninitialize 45567->45568 45568->45561 45571 1845c4e21c2 VirtualAlloc 45570->45571 45572 1845c4eafe9 CreateEventW VirtualAlloc 45570->45572 45571->45472 45571->45473 45573 1845c4eb094 InitializeCriticalSection 45572->45573 45574 1845c4eb0a5 VirtualAlloc 45572->45574 45573->45574 45575 1845c4eb0dc VirtualAlloc 45574->45575 45576 1845c4eb0cb InitializeCriticalSection 45574->45576 45577 1845c4eb102 InitializeCriticalSection 45575->45577 45578 1845c4eb113 VirtualAlloc 45575->45578 45576->45575 45577->45578 45579 1845c4eb14a 45578->45579 45580 1845c4eb139 InitializeCriticalSection 45578->45580 45579->45571 45580->45579 45582 1845c4fc991 Process32FirstW 45581->45582 45583 1845c4e2256 lstrcmpiW 45581->45583 45584 1845c4fc9af 45582->45584 45587 1845c4fc9c8 45582->45587 45583->45478 45583->45479 45586 1845c4fc9b6 Process32NextW 45584->45586 45584->45587 45585 1845c4fca3e CloseHandle 45585->45583 45586->45584 45586->45587 45587->45583 45587->45585 45589 1845c4fd177 EnumServicesStatusExW malloc 45588->45589 45596 1845c4e22e4 GetCurrentProcessId 45588->45596 45590 1845c4fd1d4 memset EnumServicesStatusExW 45589->45590 45589->45596 45591 1845c4fd228 CloseServiceHandle free 45590->45591 45592 1845c4fd24d CloseServiceHandle 45590->45592 45591->45596 45595 1845c4fd25e 45592->45595 45592->45596 45593 1845c4fd260 lstrcmpiW 45594 1845c4fd286 free 45593->45594 45593->45595 45594->45596 45595->45593 45595->45596 45596->45499 45596->45500 45598 1845c4fca9d GetProcessHeap HeapAlloc 45597->45598 45599 1845c4fca8a 45597->45599 45600 1845c4fcad1 Process32FirstW 45598->45600 45601 1845c4fcac7 CloseHandle 45598->45601 45599->45515 45603 1845c4fcb1c GetProcessHeap HeapFree CloseHandle 45600->45603 45604 1845c4fcae4 45600->45604 45602 1845c4fcb3c 45601->45602 45602->45515 45603->45602 45605 1845c4fcaf0 lstrcmpiW 45604->45605 45606 1845c4fcb11 45605->45606 45607 1845c4fcb01 Process32NextW 45605->45607 45606->45603 45607->45605 45607->45606 45609 1845c4f0d9b 45608->45609 45610 1845c4f06a9 GetCurrentProcess OpenProcessToken 45608->45610 45609->45503 45611 1845c4f06e3 LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 45610->45611 45612 1845c4f0741 VirtualAlloc 45610->45612 45611->45612 45613 1845c4f0731 45611->45613 45614 1845c4f0771 IsBadReadPtr 45612->45614 45615 1845c4f0760 InitializeCriticalSection 45612->45615 45613->45612 45618 1845c4f073b CloseHandle 45613->45618 45616 1845c4f07dc IsBadReadPtr 45614->45616 45617 1845c4f0787 45614->45617 45615->45614 45620 1845c4f07f2 45616->45620 45621 1845c4f0847 IsBadReadPtr 45616->45621 45617->45616 45619 1845c4f078c EnterCriticalSection VirtualAlloc 45617->45619 45618->45612 45622 1845c4f07d2 LeaveCriticalSection 45619->45622 45623 1845c4f07b2 45619->45623 45620->45621 45624 1845c4f07f7 EnterCriticalSection VirtualAlloc 45620->45624 45625 1845c4f08b2 IsBadReadPtr 45621->45625 45626 1845c4f085d 45621->45626 45622->45616 45623->45622 45629 1845c4f083d LeaveCriticalSection 45624->45629 45630 1845c4f081d 45624->45630 45627 1845c4f091d IsBadReadPtr 45625->45627 45628 1845c4f08c8 45625->45628 45626->45625 45631 1845c4f0862 EnterCriticalSection VirtualAlloc 45626->45631 45633 1845c4f0933 45627->45633 45634 1845c4f0988 IsBadReadPtr 45627->45634 45628->45627 45632 1845c4f08cd EnterCriticalSection VirtualAlloc 45628->45632 45629->45621 45630->45629 45635 1845c4f08a8 LeaveCriticalSection 45631->45635 45636 1845c4f0888 45631->45636 45637 1845c4f0913 LeaveCriticalSection 45632->45637 45638 1845c4f08f3 45632->45638 45633->45634 45639 1845c4f0938 EnterCriticalSection VirtualAlloc 45633->45639 45640 1845c4f09f3 IsBadReadPtr 45634->45640 45641 1845c4f099e 45634->45641 45635->45625 45636->45635 45637->45627 45638->45637 45642 1845c4f097e LeaveCriticalSection 45639->45642 45643 1845c4f095e 45639->45643 45645 1845c4f0a5e IsBadReadPtr 45640->45645 45646 1845c4f0a09 45640->45646 45641->45640 45644 1845c4f09a3 EnterCriticalSection VirtualAlloc 45641->45644 45642->45634 45643->45642 45650 1845c4f09e9 LeaveCriticalSection 45644->45650 45651 1845c4f09c9 45644->45651 45648 1845c4f0ac9 IsBadReadPtr 45645->45648 45649 1845c4f0a74 45645->45649 45646->45645 45647 1845c4f0a0e EnterCriticalSection VirtualAlloc 45646->45647 45652 1845c4f0a54 LeaveCriticalSection 45647->45652 45653 1845c4f0a34 45647->45653 45655 1845c4f0adf 45648->45655 45656 1845c4f0b1c 45648->45656 45649->45648 45654 1845c4f0a79 EnterCriticalSection VirtualAlloc 45649->45654 45650->45640 45651->45650 45652->45645 45653->45652 45658 1845c4f0abf LeaveCriticalSection 45654->45658 45659 1845c4f0a9f 45654->45659 45655->45656 45660 1845c4f0ae4 EnterCriticalSection 45655->45660 45657 1845c4f0b1f IsBadReadPtr 45656->45657 45661 1845c4f0b6e 45657->45661 45662 1845c4f0b38 45657->45662 45658->45648 45659->45658 45663 1845c4f0b13 LeaveCriticalSection 45660->45663 45664 1845c4f0af9 45660->45664 45666 1845c4f0b71 IsBadReadPtr 45661->45666 45662->45661 45665 1845c4f0b3d EnterCriticalSection 45662->45665 45663->45656 45664->45663 45671 1845c4f0da1 LeaveCriticalSection 45664->45671 45667 1845c4f0b52 45665->45667 45668 1845c4f0b65 LeaveCriticalSection 45665->45668 45669 1845c4f0bc1 45666->45669 45670 1845c4f0b8b 45666->45670 45667->45668 45672 1845c4f0db3 LeaveCriticalSection 45667->45672 45668->45661 45674 1845c4f0bc4 IsBadReadPtr 45669->45674 45670->45669 45673 1845c4f0b90 EnterCriticalSection 45670->45673 45671->45657 45672->45666 45675 1845c4f0bb8 LeaveCriticalSection 45673->45675 45680 1845c4f0ba5 45673->45680 45676 1845c4f0bde 45674->45676 45677 1845c4f0c1c 45674->45677 45675->45669 45676->45677 45678 1845c4f0be3 EnterCriticalSection 45676->45678 45679 1845c4f0c1f IsBadReadPtr 45677->45679 45682 1845c4f0c13 LeaveCriticalSection 45678->45682 45683 1845c4f0bf8 45678->45683 45684 1845c4f0c6f 45679->45684 45685 1845c4f0c39 45679->45685 45680->45675 45681 1845c4f0dc5 LeaveCriticalSection 45680->45681 45681->45674 45682->45677 45683->45682 45688 1845c4f0dd7 LeaveCriticalSection 45683->45688 45687 1845c4f0c72 IsBadReadPtr 45684->45687 45685->45684 45686 1845c4f0c3e EnterCriticalSection 45685->45686 45689 1845c4f0c53 45686->45689 45690 1845c4f0c66 LeaveCriticalSection 45686->45690 45691 1845c4f0cc2 45687->45691 45692 1845c4f0c8c 45687->45692 45688->45679 45689->45690 45694 1845c4f0de9 LeaveCriticalSection 45689->45694 45690->45684 45693 1845c4f0cc5 IsBadReadPtr 45691->45693 45692->45691 45695 1845c4f0c91 EnterCriticalSection 45692->45695 45698 1845c4f0cdf 45693->45698 45699 1845c4f0d1c 45693->45699 45694->45687 45696 1845c4f0cb9 LeaveCriticalSection 45695->45696 45697 1845c4f0ca6 45695->45697 45696->45691 45697->45696 45700 1845c4f0dfb LeaveCriticalSection 45697->45700 45698->45699 45701 1845c4f0ce4 EnterCriticalSection 45698->45701 45702 1845c4f0d1f IsBadReadPtr 45699->45702 45700->45693 45703 1845c4f0d13 LeaveCriticalSection 45701->45703 45704 1845c4f0cf9 45701->45704 45705 1845c4f0d6f 45702->45705 45706 1845c4f0d39 45702->45706 45703->45699 45704->45703 45708 1845c4f0e0d LeaveCriticalSection 45704->45708 45705->45609 45706->45705 45707 1845c4f0d3e EnterCriticalSection 45706->45707 45709 1845c4f0d53 45707->45709 45710 1845c4f0d66 LeaveCriticalSection 45707->45710 45708->45702 45709->45710 45711 1845c4f0e1f LeaveCriticalSection 45709->45711 45710->45705 45711->45705 45712->45485 45713->45522 45714->45524 45715->45513 45716->45527 45717->45535 45719->45531 45720->45517 45722 1845c4efe20 CreateProcessW 45723 1845c4efef7 SuspendThread 45722->45723 45724 1845c4efec6 GetLastError 45722->45724 45730 1845c4ef9e0 VirtualAllocEx 45723->45730 45725 1845c4efee3 45724->45725 45726 1845c4efed8 CloseHandle 45724->45726 45728 1845c4efef3 45725->45728 45729 1845c4efeed CloseHandle 45725->45729 45726->45725 45729->45728 45731 1845c4efa3f GetLastError 45730->45731 45732 1845c4efa4a VirtualAllocEx 45730->45732 45747 1845c4efcdb 45731->45747 45733 1845c4efa99 GetLastError 45732->45733 45734 1845c4efa79 WriteProcessMemory 45732->45734 45733->45747 45734->45733 45735 1845c4efaa4 VirtualAllocEx 45734->45735 45736 1845c4efcd3 GetLastError 45735->45736 45737 1845c4efad7 WriteProcessMemory 45735->45737 45736->45747 45737->45736 45738 1845c4efafc 45737->45738 45748 1845c4ef560 45738->45748 45741 1845c4efb04 WriteProcessMemory 45741->45736 45742 1845c4efc02 VirtualProtectEx VirtualProtectEx 45741->45742 45743 1845c4efc4d memset GetThreadContext SetThreadContext 45742->45743 45744 1845c4efc88 45742->45744 45745 1845c4efcc6 ResumeThread 45743->45745 45746 1845c4efc8d memset Wow64GetThreadContext Wow64SetThreadContext 45744->45746 45744->45747 45745->45736 45745->45747 45746->45745 45747->45728 45749 1845c4ef6f1 45748->45749 45750 1845c4ef574 45748->45750 45749->45741 45750->45749 45751 1845c4ef584 VirtualAlloc 45750->45751 45752 1845c4ef5b0 memcpy 45751->45752 45753 1845c4ef6ba 45751->45753 45756 1845c4ef5c4 45752->45756 45753->45741 45754 1845c4ef6d9 VirtualFree 45754->45753 45755 1845c4ef69a 45757 1845c4ef6cf VirtualFree 45755->45757 45758 1845c4ef6af VirtualFree 45755->45758 45756->45754 45756->45755 45757->45753 45758->45753 45759 1845c4f6f00 IsBadReadPtr 45760 1845c4f6f91 45759->45760 45761 1845c4f6f18 45759->45761 45761->45760 45762 1845c4f6f1d EnterCriticalSection 45761->45762 45763 1845c4f6f5a LeaveCriticalSection DeleteCriticalSection VirtualFree 45762->45763 45764 1845c4f6f39 45762->45764 45763->45760 45765 1845c4f6f40 VirtualFree 45764->45765 45765->45763 45765->45765 45766 1845b3a0000 45769 1845b3a0a68 45766->45769 45768 1845b3a0019 45770 1845b3a0a84 45769->45770 45772 1845b3a0b0e 45770->45772 45773 1845b3a0768 45770->45773 45772->45768 45776 1845b3a0778 45773->45776 45775 1845b3a0771 45775->45772 45777 1845b3a07a8 45776->45777 45779 1845b3a088a 45777->45779 45780 1845b3a0508 45777->45780 45779->45775 45783 1845b3a052c 45780->45783 45781 1845b3a06fa 45781->45779 45782 1845b3a061d LoadLibraryA 45782->45781 45782->45783 45783->45781 45783->45782 45784 1845b3a06c1 GetProcAddressForCaller 45783->45784 45784->45781 45784->45783 45785 1845b370345 45786 1845b3703ff 45785->45786 45788 1845b370360 45785->45788 45787 1845b370387 VirtualFree 45787->45788 45788->45786 45788->45787 45793 1845b370000 45796 1845b370a68 45793->45796 45795 1845b370019 45797 1845b370a84 45796->45797 45799 1845b370b0e 45797->45799 45800 1845b370768 45797->45800 45799->45795 45803 1845b370778 45800->45803 45802 1845b370771 45802->45799 45804 1845b3707a8 45803->45804 45806 1845b37088a 45804->45806 45807 1845b370508 45804->45807 45806->45802 45808 1845b37052c 45807->45808 45809 1845b3706fa 45808->45809 45810 1845b37061d LoadLibraryA 45808->45810 45809->45806 45810->45808 45810->45809 45815 1800019d0 DeleteFileW 45816 1800019e3 SleepEx DeleteFileW 45815->45816 45817 1800019fb 45815->45817 45816->45816 45816->45817 45818 180001920 memset GetModuleFileNameW wcsstr 45819 1800019a8 45818->45819 45820 18000197a IsUserAnAdmin 45818->45820 45830 180001010 malloc 45819->45830 45821 180001984 45820->45821 45822 180001995 45820->45822 45867 1800015b0 28 API calls 45821->45867 45827 18000199f ExitProcess 45822->45827 45826 18000198c ExitProcess 45831 180001568 45830->45831 45836 18000104e 45830->45836 45832 180112660 8 API calls 45831->45832 45833 18000159f 45832->45833 45868 180112660 45833->45868 45834 1800010c4 malloc 45834->45831 45835 1800010db memcpy memcpy 45834->45835 45837 180001120 45835->45837 45836->45834 45837->45831 45838 180001195 memset wsprintfW CreateFileW 45837->45838 45839 180001212 GetLastError 45838->45839 45840 18000121a WriteFile 45838->45840 45843 18000124c SleepEx memset wsprintfW CreateFileW 45839->45843 45841 180001243 CloseHandle 45840->45841 45842 18000123d GetLastError 45840->45842 45841->45843 45842->45841 45844 1800012c4 GetLastError 45843->45844 45845 1800012cc WriteFile 45843->45845 45846 1800012fe SleepEx memset wsprintfW CreateFileW 45844->45846 45847 1800012f5 CloseHandle 45845->45847 45848 1800012ef GetLastError 45845->45848 45849 180001376 GetLastError 45846->45849 45850 18000137e WriteFile 45846->45850 45847->45846 45848->45847 45851 1800013ac Sleep 45849->45851 45852 1800013a3 CloseHandle 45850->45852 45853 18000139d GetLastError 45850->45853 45851->45831 45854 1800013c1 VirtualAlloc 45851->45854 45852->45851 45853->45852 45854->45831 45855 1800013e6 memcpy CreateThread 45854->45855 45877 180001a10 CoInitializeEx 45855->45877 45858 180001523 memset memcpy CreateThread 45858->45831 45859 180001430 VariantInit 45860 180001498 45859->45860 45861 18000149c SysAllocString 45860->45861 45862 1800014be GetLastError 45860->45862 45864 1800014ba 45861->45864 45863 1800014c4 45862->45863 45863->45858 45865 1800014ca memset wsprintfW 45863->45865 45864->45862 45864->45863 45885 180001d60 45865->45885 45867->45826 45869 180112669 45868->45869 45870 1800019c0 45869->45870 45871 180112a14 IsProcessorFeaturePresent 45869->45871 45872 180112a2c 45871->45872 45898 180112ae8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 45872->45898 45874 180112a3f 45899 1801129e0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45874->45899 45878 180001b50 45877->45878 45878->45878 45879 180001cae CLSIDFromString 45878->45879 45880 180001d04 IIDFromString 45879->45880 45881 180001d3b 45879->45881 45880->45881 45882 180001d17 CoCreateInstance 45880->45882 45883 180112660 8 API calls 45881->45883 45882->45881 45884 180001423 45883->45884 45884->45858 45884->45859 45886 180001da5 SysAllocString 45885->45886 45897 18000206a 45885->45897 45887 180001dbb 45886->45887 45890 180001dd9 SysAllocString SysAllocString 45887->45890 45887->45897 45888 180112660 8 API calls 45889 180002086 45888->45889 45889->45858 45891 180001e08 45890->45891 45892 180001f1f IIDFromString 45891->45892 45891->45897 45893 180001f4c 45892->45893 45894 180001f5e SysAllocString SysAllocString 45893->45894 45893->45897 45895 180001f88 45894->45895 45896 180001fd9 VariantInit SysAllocString 45895->45896 45895->45897 45896->45897 45897->45888 45898->45874

                                                                                                                    Executed Functions

                                                                                                                    Function 000001845C4F0680 Relevance: 130.0, APIs: 73, Strings: 1, Instructions: 492memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 1845c4f0680-1845c4f06a3 VirtualAlloc 1 1845c4f0d9b-1845c4f0da0 0->1 2 1845c4f06a9-1845c4f06e1 GetCurrentProcess OpenProcessToken 0->2 3 1845c4f06e3-1845c4f072f LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 2->3 4 1845c4f0741-1845c4f075e VirtualAlloc 2->4 3->4 5 1845c4f0731-1845c4f0739 3->5 6 1845c4f0771-1845c4f0785 IsBadReadPtr 4->6 7 1845c4f0760-1845c4f076d InitializeCriticalSection 4->7 5->4 10 1845c4f073b CloseHandle 5->10 8 1845c4f07dc-1845c4f07f0 IsBadReadPtr 6->8 9 1845c4f0787-1845c4f078a 6->9 7->6 12 1845c4f07f2-1845c4f07f5 8->12 13 1845c4f0847-1845c4f085b IsBadReadPtr 8->13 9->8 11 1845c4f078c-1845c4f07b0 EnterCriticalSection VirtualAlloc 9->11 10->4 14 1845c4f07d2-1845c4f07d6 LeaveCriticalSection 11->14 15 1845c4f07b2-1845c4f07cf 11->15 12->13 16 1845c4f07f7-1845c4f081b EnterCriticalSection VirtualAlloc 12->16 17 1845c4f08b2-1845c4f08c6 IsBadReadPtr 13->17 18 1845c4f085d-1845c4f0860 13->18 14->8 15->14 21 1845c4f083d-1845c4f0841 LeaveCriticalSection 16->21 22 1845c4f081d-1845c4f083a 16->22 19 1845c4f091d-1845c4f0931 IsBadReadPtr 17->19 20 1845c4f08c8-1845c4f08cb 17->20 18->17 23 1845c4f0862-1845c4f0886 EnterCriticalSection VirtualAlloc 18->23 25 1845c4f0933-1845c4f0936 19->25 26 1845c4f0988-1845c4f099c IsBadReadPtr 19->26 20->19 24 1845c4f08cd-1845c4f08f1 EnterCriticalSection VirtualAlloc 20->24 21->13 22->21 27 1845c4f08a8-1845c4f08ac LeaveCriticalSection 23->27 28 1845c4f0888-1845c4f08a5 23->28 29 1845c4f0913-1845c4f0917 LeaveCriticalSection 24->29 30 1845c4f08f3-1845c4f0910 24->30 25->26 31 1845c4f0938-1845c4f095c EnterCriticalSection VirtualAlloc 25->31 32 1845c4f09f3-1845c4f0a07 IsBadReadPtr 26->32 33 1845c4f099e-1845c4f09a1 26->33 27->17 28->27 29->19 30->29 34 1845c4f097e-1845c4f0982 LeaveCriticalSection 31->34 35 1845c4f095e-1845c4f097b 31->35 37 1845c4f0a5e-1845c4f0a72 IsBadReadPtr 32->37 38 1845c4f0a09-1845c4f0a0c 32->38 33->32 36 1845c4f09a3-1845c4f09c7 EnterCriticalSection VirtualAlloc 33->36 34->26 35->34 42 1845c4f09e9-1845c4f09ed LeaveCriticalSection 36->42 43 1845c4f09c9-1845c4f09e6 36->43 40 1845c4f0ac9-1845c4f0add IsBadReadPtr 37->40 41 1845c4f0a74-1845c4f0a77 37->41 38->37 39 1845c4f0a0e-1845c4f0a32 EnterCriticalSection VirtualAlloc 38->39 44 1845c4f0a54-1845c4f0a58 LeaveCriticalSection 39->44 45 1845c4f0a34-1845c4f0a51 39->45 47 1845c4f0adf-1845c4f0ae2 40->47 48 1845c4f0b1c 40->48 41->40 46 1845c4f0a79-1845c4f0a9d EnterCriticalSection VirtualAlloc 41->46 42->32 43->42 44->37 45->44 50 1845c4f0abf-1845c4f0ac3 LeaveCriticalSection 46->50 51 1845c4f0a9f-1845c4f0abc 46->51 47->48 52 1845c4f0ae4-1845c4f0af7 EnterCriticalSection 47->52 49 1845c4f0b1f-1845c4f0b36 IsBadReadPtr 48->49 53 1845c4f0b6e 49->53 54 1845c4f0b38-1845c4f0b3b 49->54 50->40 51->50 55 1845c4f0b13-1845c4f0b16 LeaveCriticalSection 52->55 56 1845c4f0af9 52->56 58 1845c4f0b71-1845c4f0b89 IsBadReadPtr 53->58 54->53 57 1845c4f0b3d-1845c4f0b50 EnterCriticalSection 54->57 55->48 59 1845c4f0b00-1845c4f0b04 56->59 60 1845c4f0b52-1845c4f0b56 57->60 61 1845c4f0b65-1845c4f0b68 LeaveCriticalSection 57->61 62 1845c4f0bc1 58->62 63 1845c4f0b8b-1845c4f0b8e 58->63 64 1845c4f0da1-1845c4f0dae LeaveCriticalSection 59->64 65 1845c4f0b0a-1845c4f0b11 59->65 66 1845c4f0db3-1845c4f0dc0 LeaveCriticalSection 60->66 67 1845c4f0b5c-1845c4f0b63 60->67 61->53 69 1845c4f0bc4-1845c4f0bdc IsBadReadPtr 62->69 63->62 68 1845c4f0b90-1845c4f0ba3 EnterCriticalSection 63->68 64->49 65->55 65->59 66->58 67->60 67->61 70 1845c4f0bb8-1845c4f0bbb LeaveCriticalSection 68->70 71 1845c4f0ba5-1845c4f0ba9 68->71 72 1845c4f0bde-1845c4f0be1 69->72 73 1845c4f0c1c 69->73 70->62 76 1845c4f0baf-1845c4f0bb6 71->76 77 1845c4f0dc5-1845c4f0dd2 LeaveCriticalSection 71->77 72->73 74 1845c4f0be3-1845c4f0bf6 EnterCriticalSection 72->74 75 1845c4f0c1f-1845c4f0c37 IsBadReadPtr 73->75 78 1845c4f0c13-1845c4f0c16 LeaveCriticalSection 74->78 79 1845c4f0bf8 74->79 80 1845c4f0c6f 75->80 81 1845c4f0c39-1845c4f0c3c 75->81 76->70 76->71 77->69 78->73 82 1845c4f0c00-1845c4f0c04 79->82 84 1845c4f0c72-1845c4f0c8a IsBadReadPtr 80->84 81->80 83 1845c4f0c3e-1845c4f0c51 EnterCriticalSection 81->83 85 1845c4f0c0a-1845c4f0c11 82->85 86 1845c4f0dd7-1845c4f0de4 LeaveCriticalSection 82->86 87 1845c4f0c53-1845c4f0c57 83->87 88 1845c4f0c66-1845c4f0c69 LeaveCriticalSection 83->88 89 1845c4f0cc2 84->89 90 1845c4f0c8c-1845c4f0c8f 84->90 85->78 85->82 86->75 92 1845c4f0c5d-1845c4f0c64 87->92 93 1845c4f0de9-1845c4f0df6 LeaveCriticalSection 87->93 88->80 91 1845c4f0cc5-1845c4f0cdd IsBadReadPtr 89->91 90->89 94 1845c4f0c91-1845c4f0ca4 EnterCriticalSection 90->94 97 1845c4f0cdf-1845c4f0ce2 91->97 98 1845c4f0d1c 91->98 92->87 92->88 93->84 95 1845c4f0cb9-1845c4f0cbc LeaveCriticalSection 94->95 96 1845c4f0ca6-1845c4f0caa 94->96 95->89 99 1845c4f0cb0-1845c4f0cb7 96->99 100 1845c4f0dfb-1845c4f0e08 LeaveCriticalSection 96->100 97->98 101 1845c4f0ce4-1845c4f0cf7 EnterCriticalSection 97->101 102 1845c4f0d1f-1845c4f0d37 IsBadReadPtr 98->102 99->95 99->96 100->91 103 1845c4f0d13-1845c4f0d16 LeaveCriticalSection 101->103 104 1845c4f0cf9 101->104 105 1845c4f0d6f-1845c4f0d96 102->105 106 1845c4f0d39-1845c4f0d3c 102->106 103->98 107 1845c4f0d00-1845c4f0d04 104->107 105->1 106->105 108 1845c4f0d3e-1845c4f0d51 EnterCriticalSection 106->108 109 1845c4f0e0d-1845c4f0e1a LeaveCriticalSection 107->109 110 1845c4f0d0a-1845c4f0d11 107->110 111 1845c4f0d53-1845c4f0d57 108->111 112 1845c4f0d66-1845c4f0d69 LeaveCriticalSection 108->112 109->102 110->103 110->107 113 1845c4f0e1f-1845c4f0e2c LeaveCriticalSection 111->113 114 1845c4f0d5d-1845c4f0d64 111->114 112->105 113->105 114->111 114->112
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                    • API String ID: 3221255601-2896544425
                                                                                                                    • Opcode ID: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                    • Instruction ID: 38a365d32710e25e2e81d19e58f1f5f30c45be460cad084a44fe52f2bcb49a47
                                                                                                                    • Opcode Fuzzy Hash: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                    • Instruction Fuzzy Hash: B2324835300B4687EB598F51EA047ADA3A5FB95FC0F94C226CE5A43B94DF38E664C348
                                                                                                                    Function 000001845C4E2140 Relevance: 107.0, APIs: 49, Strings: 12, Instructions: 295memorystringthreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 115 1845c4e2140-1845c4e216f call 1845c4fb990 call 1845c4fd340 WSAStartup 120 1845c4e238b-1845c4e2393 115->120 121 1845c4e2175-1845c4e21e1 call 1845c4fd7d0 GetCommandLineW CommandLineToArgvW call 1845c4eafc0 VirtualAlloc 115->121 126 1845c4e21e3-1845c4e21f0 InitializeCriticalSection 121->126 127 1845c4e21f4-1845c4e2218 VirtualAlloc 121->127 126->127 128 1845c4e221a-1845c4e2227 InitializeCriticalSection 127->128 129 1845c4e222b-1845c4e226c memset GetCurrentProcessId call 1845c4fc950 lstrcmpiW 127->129 128->129 132 1845c4e2273-1845c4e2287 lstrcmpiW 129->132 133 1845c4e226e 129->133 134 1845c4e2289-1845c4e2290 call 1845c4e2830 ExitThread 132->134 135 1845c4e2297-1845c4e22ab lstrcmpiW 132->135 133->132 137 1845c4e22be-1845c4e22d2 lstrcmpiW 135->137 138 1845c4e22ad-1845c4e22b8 GetCurrentProcess TerminateProcess 135->138 140 1845c4e23e0-1845c4e23e7 137->140 141 1845c4e22d8-1845c4e22ee call 1845c4fd140 GetCurrentProcessId 137->141 138->137 143 1845c4e23ed-1845c4e242d memset GetModuleFileNameW wcsstr 140->143 144 1845c4e25c7-1845c4e25da lstrcmpiW 140->144 153 1845c4e23a1-1845c4e23c5 CreateThread 141->153 154 1845c4e22f4-1845c4e2302 call 1845c4fca60 141->154 148 1845c4e2473-1845c4e24a4 memset GetModuleFileNameW IsUserAnAdmin 143->148 149 1845c4e242f-1845c4e2455 GetNativeSystemInfo 143->149 145 1845c4e25e0-1845c4e25e7 144->145 146 1845c4e2697-1845c4e26a5 call 1845c4e2000 144->146 150 1845c4e25ed-1845c4e2600 lstrcmpiW 145->150 151 1845c4e236b-1845c4e2383 145->151 157 1845c4e24a6-1845c4e24b2 call 1845c4d5a00 148->157 158 1845c4e24b7-1845c4e2554 call 1845c4f0e40 call 1845c4f0fa0 call 1845c4fd2a0 memset wsprintfW call 1845c4d1070 OpenSCManagerW 148->158 155 1845c4e2642-1845c4e2652 call 1845c4fd140 149->155 156 1845c4e245b-1845c4e245f 149->156 150->146 159 1845c4e2606-1845c4e262c GetNativeSystemInfo 150->159 151->120 153->153 162 1845c4e23c7-1845c4e23de WaitForSingleObject CloseHandle 153->162 178 1845c4e2330-1845c4e233b call 1845c4e26b0 154->178 179 1845c4e2304-1845c4e231a OpenProcess 154->179 176 1845c4e267c call 1845c4e26b0 155->176 177 1845c4e2654-1845c4e265b call 1845c4f0680 155->177 156->155 165 1845c4e2465-1845c4e246c call 1845c4e26b0 ExitProcess 156->165 173 1845c4e2681-1845c4e2692 GetCurrentProcess TerminateProcess 157->173 197 1845c4e2561-1845c4e259f OpenServiceW ChangeServiceConfig2W 158->197 198 1845c4e2556-1845c4e255c GetLastError 158->198 159->155 168 1845c4e262e-1845c4e2632 159->168 162->153 168->155 174 1845c4e2634-1845c4e263b call 1845c4e26b0 ExitProcess 168->174 173->151 176->173 189 1845c4e2660-1845c4e267a 177->189 191 1845c4e233d-1845c4e2369 WaitForSingleObject GetExitCodeProcess 178->191 192 1845c4e2394-1845c4e239f Sleep 178->192 179->178 185 1845c4e231c-1845c4e232a TerminateProcess CloseHandle 179->185 185->178 189->173 191->151 191->178 192->178 197->173 199 1845c4e25a5-1845c4e25ae GetLastError 197->199 198->173 200 1845c4e25b0-1845c4e25b3 CloseServiceHandle 199->200 201 1845c4e25b9-1845c4e25c2 CloseServiceHandle 199->201 200->201 201->173
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4FB990: VirtualAlloc.KERNEL32 ref: 000001845C4FB9B9
                                                                                                                      • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FB9DD
                                                                                                                      • Part of subcall function 000001845C4FB990: VirtualAlloc.KERNEL32 ref: 000001845C4FBA08
                                                                                                                      • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FBA3D
                                                                                                                      • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FBA73
                                                                                                                      • Part of subcall function 000001845C4FB990: memset.NTDLL ref: 000001845C4FBB0C
                                                                                                                      • Part of subcall function 000001845C4FB990: ExpandEnvironmentStringsW.KERNEL32 ref: 000001845C4FBB23
                                                                                                                      • Part of subcall function 000001845C4FB990: memset.NTDLL ref: 000001845C4FBB38
                                                                                                                      • Part of subcall function 000001845C4FD340: GetModuleHandleW.KERNEL32 ref: 000001845C4FD35F
                                                                                                                      • Part of subcall function 000001845C4FD340: GetCurrentProcess.KERNEL32 ref: 000001845C4FD379
                                                                                                                      • Part of subcall function 000001845C4FD340: K32GetModuleInformation.KERNEL32 ref: 000001845C4FD390
                                                                                                                      • Part of subcall function 000001845C4FD340: memset.NTDLL ref: 000001845C4FD3A8
                                                                                                                      • Part of subcall function 000001845C4FD340: GetSystemDirectoryW.KERNEL32 ref: 000001845C4FD3B7
                                                                                                                      • Part of subcall function 000001845C4FD340: lstrcatW.KERNEL32 ref: 000001845C4FD3D9
                                                                                                                      • Part of subcall function 000001845C4FD340: CreateFileW.KERNEL32 ref: 000001845C4FD406
                                                                                                                      • Part of subcall function 000001845C4FD340: CreateFileMappingW.KERNELBASE ref: 000001845C4FD42D
                                                                                                                      • Part of subcall function 000001845C4FD340: MapViewOfFile.KERNEL32 ref: 000001845C4FD457
                                                                                                                      • Part of subcall function 000001845C4FD340: VirtualProtect.KERNEL32 ref: 000001845C4FD4F2
                                                                                                                      • Part of subcall function 000001845C4FD340: memcpy.NTDLL ref: 000001845C4FD507
                                                                                                                    • WSAStartup.WS2_32 ref: 000001845C4E2167
                                                                                                                      • Part of subcall function 000001845C4FD7D0: CoInitializeEx.OLE32 ref: 000001845C4FD820
                                                                                                                      • Part of subcall function 000001845C4FD7D0: CoCreateInstance.COMBASE ref: 000001845C4FD845
                                                                                                                      • Part of subcall function 000001845C4FD7D0: CoUninitialize.OLE32 ref: 000001845C4FD86E
                                                                                                                    • GetCommandLineW.KERNEL32 ref: 000001845C4E21A4
                                                                                                                    • CommandLineToArgvW.SHELL32 ref: 000001845C4E21B4
                                                                                                                      • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EAFD7
                                                                                                                      • Part of subcall function 000001845C4EAFC0: CreateEventW.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB061
                                                                                                                      • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB086
                                                                                                                      • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB098
                                                                                                                      • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0BD
                                                                                                                      • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0CF
                                                                                                                      • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0F4
                                                                                                                      • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB106
                                                                                                                      • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB12B
                                                                                                                      • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB13D
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E21D5
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 000001845C4E21E7
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E220C
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 000001845C4E221E
                                                                                                                    • memset.NTDLL ref: 000001845C4E223F
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4E2244
                                                                                                                    • lstrcmpiW.KERNEL32 ref: 000001845C4E2264
                                                                                                                    • lstrcmpiW.KERNEL32 ref: 000001845C4E227F
                                                                                                                    • ExitThread.KERNEL32 ref: 000001845C4E2290
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
                                                                                                                    • String ID: %s\%s$/Processid:{F8284233-48F4-4680-ADDD-F8284233}$18.166.104.207$C:\Program Files\Windows Mail$Inject Test$Microsoft Mail Update Task MachineCore$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$Schedule$perfmon.exe$svchost.exe$taskmgr.exe
                                                                                                                    • API String ID: 3540647475-2820177564
                                                                                                                    • Opcode ID: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
                                                                                                                    • Instruction ID: b020d48f581f3a51a80805c9025c464bb803209034d44802e40c84033a74db8e
                                                                                                                    • Opcode Fuzzy Hash: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
                                                                                                                    • Instruction Fuzzy Hash: 5EE19031200A57D3EB289FB1ED407DD6361FBA6B44F84C326D90A466A6EF38C745C749
                                                                                                                    Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filememorythreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 202 180001010-180001048 malloc 203 18000104e-18000107d call 180113300 202->203 204 180001590-1800015a9 call 180112660 202->204 209 180001084-18000108c 203->209 210 18000107f-180001082 203->210 212 180001093-1800010a4 209->212 213 18000108e-180001091 209->213 211 1800010c4-1800010d5 malloc 210->211 216 180001578-180001588 211->216 217 1800010db-180001116 memcpy * 2 211->217 214 1800010a6-1800010a9 212->214 215 1800010ab-1800010be call 180113336 212->215 213->211 214->211 215->211 216->204 219 180001120-18000116c 217->219 219->219 221 18000116e-18000117a 219->221 222 180001180-18000118b 221->222 222->222 223 18000118d-18000118f 222->223 223->216 224 180001195-180001210 memset wsprintfW CreateFileW 223->224 225 180001212-180001218 GetLastError 224->225 226 18000121a-18000123b WriteFile 224->226 229 18000124c-1800012c2 SleepEx memset wsprintfW CreateFileW 225->229 227 180001243-180001246 CloseHandle 226->227 228 18000123d GetLastError 226->228 227->229 228->227 230 1800012c4-1800012ca GetLastError 229->230 231 1800012cc-1800012ed WriteFile 229->231 232 1800012fe-180001374 SleepEx memset wsprintfW CreateFileW 230->232 233 1800012f5-1800012f8 CloseHandle 231->233 234 1800012ef GetLastError 231->234 235 180001376-18000137c GetLastError 232->235 236 18000137e-18000139b WriteFile 232->236 233->232 234->233 237 1800013ac-1800013bb Sleep 235->237 238 1800013a3-1800013a6 CloseHandle 236->238 239 18000139d GetLastError 236->239 240 1800013c1-1800013e0 VirtualAlloc 237->240 241 180001568-180001570 237->241 238->237 239->238 240->241 242 1800013e6-18000142a memcpy CreateThread call 180001a10 240->242 241->216 245 180001523-180001562 memset memcpy CreateThread 242->245 246 180001430-18000149a VariantInit 242->246 245->241 248 18000149c-1800014bc SysAllocString 246->248 249 1800014be GetLastError 246->249 248->249 250 1800014c4-1800014c8 248->250 249->250 250->245 252 1800014ca-18000151e memset wsprintfW call 180001d60 250->252 252->245
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                    • String ID: %s\%s$\Microsoft\Windows
                                                                                                                    • API String ID: 1085075972-4137575348
                                                                                                                    • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                    • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                    • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                    • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700
                                                                                                                    Function 000001845C4EF9E0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 201memoryinjectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocErrorLastVirtual$MemoryProcessWrite
                                                                                                                    • String ID: @$h
                                                                                                                    • API String ID: 1382438346-1029331998
                                                                                                                    • Opcode ID: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                    • Instruction ID: ffa8bb9d5679060274c192edda8875a2e98292844422b8fdaf3ff4d0c8d1a91d
                                                                                                                    • Opcode Fuzzy Hash: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                    • Instruction Fuzzy Hash: A781E532218BC587E7648F69B84079EAB50F796BC4F849219EEC643B89DF3CC605CB45
                                                                                                                    Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromString$CreateInitializeInstance
                                                                                                                    • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                    • API String ID: 511945936-2205580742
                                                                                                                    • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                    • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                    • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                    • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                    Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 396 180001d60-180001d9f 397 180001da5-180001dd3 SysAllocString 396->397 398 180002078 396->398 397->398 404 180001dd9-180001e0a SysAllocString * 2 397->404 399 18000207a-180002097 call 180112660 398->399 404->398 406 180001e10-180001e49 404->406 406->398 411 180001e4f-180001e8c 406->411 411->398 416 180001e92-180001efb 411->416 416->398 424 180001f01-180001f55 IIDFromString 416->424 428 180002075 424->428 429 180001f5b-180001fb4 SysAllocString * 2 424->429 428->398 429->398 435 180001fba-180001fd3 429->435 435->398 437 180001fd9-18000205f VariantInit SysAllocString 435->437 438 18000206a-180002070 437->438 439 180002072 438->439 440 180002098-1800020ad 438->440 439->428 440->399
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$FromInitVariant
                                                                                                                    • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                    • API String ID: 929278495-107290059
                                                                                                                    • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                    • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                    • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                    • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                    Function 000001845C4FD140 Relevance: 15.1, APIs: 10, Instructions: 95servicestringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2647132813-0
                                                                                                                    • Opcode ID: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                    • Instruction ID: 88a1558a43fc4ea7b045347fb81026a46ee3ca45e6e6e98a1b7e4a01a8cff4e5
                                                                                                                    • Opcode Fuzzy Hash: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                    • Instruction Fuzzy Hash: 7C41A632204B558BD764CF66F84069EB7A4F7C9B44F948225DA8E43B14DF3CD649CB44
                                                                                                                    Function 000001845C4FCA60 Relevance: 15.1, APIs: 10, Instructions: 65memoryprocessCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocCloseCreateHandleProcessSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1926892967-0
                                                                                                                    • Opcode ID: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
                                                                                                                    • Instruction ID: a2db3c4f43d9a416bc19abeb2d76d44d3a3296e32b18dfd239547535403be05e
                                                                                                                    • Opcode Fuzzy Hash: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
                                                                                                                    • Instruction Fuzzy Hash: 9221C131310A4283EB689F62E8047ADB7A0F789FE4F888321EE5647795DF3CD6418708
                                                                                                                    Function 000001845C4FC950 Relevance: 7.6, APIs: 5, Instructions: 68processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1267121359-0
                                                                                                                    • Opcode ID: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                    • Instruction ID: 72a64ac5ab2b89b045fcb62132ac7ec593ad37646025f2d6bf68d860be30e048
                                                                                                                    • Opcode Fuzzy Hash: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                    • Instruction Fuzzy Hash: 51317C22E18B9583E711CB28D5083AD73A0F3AAB98F49E315DF9902756EF34E284C704
                                                                                                                    Function 000001845C4FD340 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129filememorystringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
                                                                                                                    • String ID: .text$\ntdll.dll$ntdll.dll
                                                                                                                    • API String ID: 992094507-3745270394
                                                                                                                    • Opcode ID: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                    • Instruction ID: df02ff196e07b9798dbf293d1abc4370a181084f91e3cececcd59cfe634687cd
                                                                                                                    • Opcode Fuzzy Hash: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                    • Instruction Fuzzy Hash: D651AE72714A9687EB65CF21E4487DEB3A0F799B48F848215CA8A03B58DF3CD244CB08
                                                                                                                    Function 000001845B3A0508 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 231libraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2936356861.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressCallerLibraryLoadProc
                                                                                                                    • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                    • API String ID: 4215043672-3994871222
                                                                                                                    • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                    • Instruction ID: c381af4db78858afda48622ee0d699de6729f89d134ab15c92d4731855fb9dee
                                                                                                                    • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                    • Instruction Fuzzy Hash: 4771D130604A0A8BEB58EF58C845BED77E1FF94710F20815AD80AE7296DF35E9428F85
                                                                                                                    Function 000001845B370508 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231libraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2936300942.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                    • API String ID: 1029625771-3994871222
                                                                                                                    • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                    • Instruction ID: a74a42356ef8f54fa7955b3c366e675d3a8961867c6609bc0195d9789616b061
                                                                                                                    • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                    • Instruction Fuzzy Hash: 8471A031614A0A8BEB58EF58C855BED77E1FF94310F21815AD80AE7286DF34DA42CF85
                                                                                                                    Function 000001845C4FD7D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62commemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: StringUninitialize$AllocCreateFreeInitializeInstance
                                                                                                                    • String ID: Block All Outbound
                                                                                                                    • API String ID: 4211003860-2946277995
                                                                                                                    • Opcode ID: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                    • Instruction ID: 4c0aa9e46115998dcc924684b757b4575249f13291dda10f3b73d0ed50671016
                                                                                                                    • Opcode Fuzzy Hash: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                    • Instruction Fuzzy Hash: 50311876B00B15CBEB009F76D84429C7770F794F88B448926DA1D47B28DF38C664CB84
                                                                                                                    Function 000001845C4EF560 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 113memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 480 1845c4ef560-1845c4ef56e 481 1845c4ef6f1-1845c4ef700 480->481 482 1845c4ef574-1845c4ef57e 480->482 482->481 483 1845c4ef584-1845c4ef5aa VirtualAlloc 482->483 484 1845c4ef5b0-1845c4ef5c2 memcpy 483->484 485 1845c4ef6d5-1845c4ef6d7 483->485 486 1845c4ef5ce-1845c4ef5d2 484->486 487 1845c4ef5c4-1845c4ef5c8 484->487 488 1845c4ef6ba-1845c4ef6ce 485->488 489 1845c4ef67d-1845c4ef68e 486->489 490 1845c4ef5d8-1845c4ef5db 486->490 487->486 487->489 493 1845c4ef690-1845c4ef698 489->493 494 1845c4ef6d9-1845c4ef6ef VirtualFree 489->494 491 1845c4ef5e1-1845c4ef5e9 490->491 492 1845c4ef664-1845c4ef66e 490->492 496 1845c4ef5f2-1845c4ef60f 491->496 497 1845c4ef5eb-1845c4ef5f0 491->497 498 1845c4ef670-1845c4ef67b 492->498 493->494 495 1845c4ef69a-1845c4ef6ad 493->495 494->488 499 1845c4ef6cf VirtualFree 495->499 500 1845c4ef6af-1845c4ef6b5 VirtualFree 495->500 501 1845c4ef610-1845c4ef65e 496->501 497->496 498->489 498->498 499->485 500->488 501->501 502 1845c4ef660-1845c4ef662 501->502 502->489 502->492
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$Allocmemcpy
                                                                                                                    • String ID: M$Z
                                                                                                                    • API String ID: 2981101286-4250246861
                                                                                                                    • Opcode ID: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                    • Instruction ID: 98ecbdbaaa5dde0254cb65932f8bcb7f3ff8020b1b5658f4ccc75085e62ecc5e
                                                                                                                    • Opcode Fuzzy Hash: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                    • Instruction Fuzzy Hash: 9D410236B10BC283FB158F3DD0007AD6790A7E6B94F55C315EA96163E5EF29C602C309
                                                                                                                    Function 000001845C4EFE20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68processthreadinjectionCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$CreateErrorLastProcessSuspendThread
                                                                                                                    • String ID: h
                                                                                                                    • API String ID: 2500411409-2439710439
                                                                                                                    • Opcode ID: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
                                                                                                                    • Instruction ID: a1a21c8a76dd3432da82a2d8d92c1181e469f071f561da0d7d75e3bff373a155
                                                                                                                    • Opcode Fuzzy Hash: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
                                                                                                                    • Instruction Fuzzy Hash: 8731AE37A18B81C7E7508F91E44479EB3A4F3A8B94F129326EA9803B15DF79C5D0CB04
                                                                                                                    Function 000001845C4F6F00 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4123369522-0
                                                                                                                    • Opcode ID: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                    • Instruction ID: 8ae27e31e23b89755b310283ec15db42feeb2ec51d47047bda7a1a9d16e5319e
                                                                                                                    • Opcode Fuzzy Hash: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                    • Instruction Fuzzy Hash: C3019A31324F4283FB488F62E54439DA361FBA9F88F88C122DE5A03B54DF38D2658718
                                                                                                                    Function 00000001800019D0 Relevance: 4.5, APIs: 3, Instructions: 16fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteFile$Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2100639427-0
                                                                                                                    • Opcode ID: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                    • Instruction ID: ee9c1bd20bde787a3df6403edb75ddca03fdaf3f5216dae4a0b383b50a80e175
                                                                                                                    • Opcode Fuzzy Hash: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                    • Instruction Fuzzy Hash: 5CD05E20301A0986FB9A5BB2E8583E613A85B0DBD2F0860249C1685280DF18C7CE8301
                                                                                                                    Function 000001845B3A0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2936356861.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1263568516-0
                                                                                                                    • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction ID: ef4bb6c71454d22b561e0105ee1553b42766148eaa3c283ca195eff69e386f39
                                                                                                                    • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction Fuzzy Hash: 2131C3316586018BDB5CEA1CE8C26A973D0F795304B30529EE9C7D71C7EE39E9438B89
                                                                                                                    Function 000001845C380345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939564346.000001845C380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001845C380000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c380000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1263568516-0
                                                                                                                    • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction ID: 951e66a6b1d21aabd3b8155fc870e722c2ada9e282e41ce921d080dec94f9224
                                                                                                                    • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction Fuzzy Hash: 6E31E5316496058BDB5CDA1CE8C26A873D0FB55304B60429DDAC7C7187EE39E803C789
                                                                                                                    Function 000001845B370345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2936300942.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1263568516-0
                                                                                                                    • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction ID: fb5624946f701f58ffc31c8419db3424fa54852be020087c6986d22e8504e12a
                                                                                                                    • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                    • Instruction Fuzzy Hash: 7131C3316586018BEB5CDA1CE8C26AD73D0F795304B20519EE9C7D7187EE39E9438B89

                                                                                                                    Non-executed Functions

                                                                                                                    Function 000001845C4E5FB0 Relevance: 105.2, APIs: 47, Strings: 13, Instructions: 229threadsleepstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProcessProcess32TerminateThread$CloseCreateCurrentExitFirstHandleNextSleepSnapshotToolhelp32lstrcmpimemset
                                                                                                                    • String ID: %s\%s$.sys$18.166.104.207$C:\Program Files\Windows Mail$Inject Test$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$\drivers\$arphaDump64.bin$arphaDump64.dll$install.cfg$sys$temp.key
                                                                                                                    • API String ID: 946687889-4213841698
                                                                                                                    • Opcode ID: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
                                                                                                                    • Instruction ID: 6ab1ac2c70caad825dfc093b1eae6746e03858c719bffa4d84152d2260ec190f
                                                                                                                    • Opcode Fuzzy Hash: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
                                                                                                                    • Instruction Fuzzy Hash: 45C14E32200AABD7EB25DFA1EC447DDA371F7A5B48F84C212C90A46665EF38C749C749
                                                                                                                    Function 000001845C4F9300 Relevance: 98.4, APIs: 53, Strings: 3, Instructions: 425stringprocessmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
                                                                                                                    • String ID: H$SeDebugPrivilege$unknown
                                                                                                                    • API String ID: 976869081-3969872153
                                                                                                                    • Opcode ID: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                    • Instruction ID: 9f82c31e2c7568b2c87e75ad0a7f684a87b3a53f41341551b6bd8e16aead4708
                                                                                                                    • Opcode Fuzzy Hash: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                    • Instruction Fuzzy Hash: E522A332600B9687EB24CF61E8447DD73A1FB99B98F808316EA5947B98EF38C745C744
                                                                                                                    Function 000001845C4EEA40 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 330memorystringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Free$Virtual$CloseHandle$ErrorHeapLast$CreateCriticalFileProcessSection$Process32wsprintf$AllocDeleteDirectoryEnterFirstLeaveNextPathReadRemoveSnapshotSpecToolhelp32WindowsWrite__chkstklstrcatlstrcmpilstrlen
                                                                                                                    • String ID: "tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77$%s\tdata_%d.rar$Telegram.exe$\rar.exe$rar.exe a "tdata_%d.rar" %s -m5
                                                                                                                    • API String ID: 1825664495-2162963810
                                                                                                                    • Opcode ID: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
                                                                                                                    • Instruction ID: d94f99b3b8208d82541a41e23b3f2df4e259abba0e6f1c034aa8e22557180a9e
                                                                                                                    • Opcode Fuzzy Hash: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
                                                                                                                    • Instruction Fuzzy Hash: 38E19D32700B9697EB24DFA2E9447DD63A1FB9AB88F408215CE4A47B98DF38C345C745
                                                                                                                    Function 000001845C4E76E0 Relevance: 73.8, APIs: 26, Strings: 16, Instructions: 273memorythreadstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
                                                                                                                    • String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
                                                                                                                    • API String ID: 1888231936-1994672154
                                                                                                                    • Opcode ID: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                    • Instruction ID: 20ce504eacf646f25851e58ed7774aef9c0973e047861bcb9b446a15f24958d5
                                                                                                                    • Opcode Fuzzy Hash: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                    • Instruction Fuzzy Hash: 99E1AB73604B91CBE7148F61E8007EEBBB0F795B98F459216DE9907A59EF38D284CB04
                                                                                                                    Function 000001845C4F7290 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 334stringnetworkmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
                                                                                                                    • String ID: SeDebugPrivilege$System$TCP
                                                                                                                    • API String ID: 2139412910-32757284
                                                                                                                    • Opcode ID: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                    • Instruction ID: 8d6277c870a552f8d83a9848704f5c7af2f372fc1522890840096eaa4a836adc
                                                                                                                    • Opcode Fuzzy Hash: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                    • Instruction Fuzzy Hash: 9BF18F76310A9587EB24DF66E844BDE77B0F789B98F408216CA5A47B58DF38C248CB44
                                                                                                                    Function 000001845C4E6630 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 267stringfileprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
                                                                                                                    • String ID: .bak$18.166.104.207$C:\Program Files\Windows Mail$ParphaCrashReport64.exe$arphaDump64.bin$h
                                                                                                                    • API String ID: 2211108363-1699758179
                                                                                                                    • Opcode ID: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                    • Instruction ID: 92e861b1de5cff73e44cb5ed11c8745a511073350e7177d4ebdad224838e7f76
                                                                                                                    • Opcode Fuzzy Hash: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                    • Instruction Fuzzy Hash: B7D1D132710B9687EB24CF71E8447ED6361FB99B88F40D316DA4A17A69EF38C255C348
                                                                                                                    Function 000001845C4F7870 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 324stringmemorynetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$lstrlen$ProcessTokenmemset$CriticalSection$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValue$AllocDeleteEnterLeaveReadhtonsinet_ntoalstrcpy
                                                                                                                    • String ID: 0.0.0.0$SeDebugPrivilege$System$UDP
                                                                                                                    • API String ID: 3759433425-459619966
                                                                                                                    • Opcode ID: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                    • Instruction ID: 6072c5dda7ee4d97fa871a10c0060a0dd374e28672bf7c5220c29cb99e6c07db
                                                                                                                    • Opcode Fuzzy Hash: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                    • Instruction Fuzzy Hash: 18F17D76310B9187EB24DF62E8547DE77B1F789B98F809216CA4A47B58DF38C248CB44
                                                                                                                    Function 000001845C4F8880 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 311stringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Freelstrcat$Read$EnterLeave$DirectoryErrorLastmemset$InitializeSystemWindowsmemcpy
                                                                                                                    • String ID: :$B:_:$HTTP$I:N:$R:U:$TCP$UDP$V:V:$\syswow64$f:^:
                                                                                                                    • API String ID: 1846020110-2823427824
                                                                                                                    • Opcode ID: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                    • Instruction ID: 42946c8f20094921fd708f5c627bdb64249f0c9afd15bfcd2357cd910dcb922c
                                                                                                                    • Opcode Fuzzy Hash: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                    • Instruction Fuzzy Hash: 96E1BF32710A9687EB24CF66D844BEDB7A1FB9AB84F84C211DE4A4BB54DF38D644C704
                                                                                                                    Function 000001845C4E8DA0 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 243memorystringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalFreeSection$Heaplstrcat$EnterProcessRead$CloseDirectoryErrorHandleLastLeaveProcess32Sessionmemset$ActiveConsoleCreateFirstInitializeNextSnapshotSystemToolhelp32Windowslstrcmpimemcpy
                                                                                                                    • String ID: $@$HTTP$TCP$UDP$\dllhost.exe$\syswow64$explorer.exe
                                                                                                                    • API String ID: 2239626338-2826464075
                                                                                                                    • Opcode ID: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
                                                                                                                    • Instruction ID: 936c318d8bb76c10f9edc0e9f4b44dd6d277d331021b6920636caa95345f5202
                                                                                                                    • Opcode Fuzzy Hash: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
                                                                                                                    • Instruction Fuzzy Hash: 06B1B432700B9683FB258F76D9447EDA3A1FB99B84F84C315DA4A47A95EF38C245C348
                                                                                                                    Function 000001845C4F9E10 Relevance: 59.8, APIs: 30, Strings: 4, Instructions: 347stringmemoryinjectionCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$ErrorLast$lstrcatmemset$AllocProcess$CreateMemoryOpenRemoteThreadWritememcpy
                                                                                                                    • String ID: 18.166.104.207$:$@$Inject Test
                                                                                                                    • API String ID: 1625309433-544392806
                                                                                                                    • Opcode ID: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
                                                                                                                    • Instruction ID: 75599436faed15a21e071ca58675c9fd74d6aaaac53634a0fb8bab240016c077
                                                                                                                    • Opcode Fuzzy Hash: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
                                                                                                                    • Instruction Fuzzy Hash: E6F18D32B15BC287E724CF35D810BED73A1FBAAB88F44D315DA4946A59EF389284C744
                                                                                                                    Function 000001845C4F9A70 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 204stringsleeplibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Handle$AddressCloseFileFreeOpenProcSleepTokenVirtuallstrcpymemset$AdjustCurrentDeleteDeviceDriveEnumErrorImageLastLogicalLookupModuleModulesNamePrivilegePrivilegesQueryStringsTerminateValuelstrcatlstrlenwcsncmp
                                                                                                                    • String ID: NtResumeProcess$NtSuspendProcess$SeDebugPrivilege$ntdll.dll
                                                                                                                    • API String ID: 335747669-263106891
                                                                                                                    • Opcode ID: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
                                                                                                                    • Instruction ID: f3197051485fedc0ca87157b2d918fa8f2b333e413703a3c5d74fee0b059c2f3
                                                                                                                    • Opcode Fuzzy Hash: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
                                                                                                                    • Instruction Fuzzy Hash: 3FA1E631210A9683EB64DF61E8447DD73A0FB95F48F80C216DA4A477A8EF38C749C798
                                                                                                                    Function 000001845C4EE550 Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 289memorystringfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$Alloc$CloseErrorFileHandleLast$Createlstrcatlstrlen$DirectoryPathProcessRemoveSpecWindowsWritememsetwsprintf
                                                                                                                    • String ID: \rar.exe$h$rar.exe a "%s" %s -m5
                                                                                                                    • API String ID: 460989278-1571478729
                                                                                                                    • Opcode ID: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                    • Instruction ID: e2fbdecf61e0fb942767ecf5abb77764f15f048ed007a063d6527037c42ffe07
                                                                                                                    • Opcode Fuzzy Hash: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                    • Instruction Fuzzy Hash: B1D17032310AA287EB648F62E9587DD73A1F799F88F45C225CE4A47B58DF38C644C744
                                                                                                                    Function 000001845C4FBDC0 Relevance: 52.9, APIs: 5, Strings: 25, Instructions: 441stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcat$memset
                                                                                                                    • String ID: ::$:U:M:m:S:$:$:$:$H:L:$L:_:$N:[:$T:I:$T:I:$T:^:$T:^:$T:^:$U:M:$U:M:$U:M:$Windows 2003$Windows XP$_:H:$_:H:$_:H:i:_:U:M:m:S:$i:_:$m:S:$m:S:$m:S:
                                                                                                                    • API String ID: 2788080104-1869930141
                                                                                                                    • Opcode ID: 89cf57517cdc68ef62da7d3c9f9d36e19b96a16481536b5742197b23cda8ce07
                                                                                                                    • Instruction ID: 3209f0c0310a924eedcc98963ad7d168b0a569009cdc6da933647491b931516b
                                                                                                                    • Opcode Fuzzy Hash: 89cf57517cdc68ef62da7d3c9f9d36e19b96a16481536b5742197b23cda8ce07
                                                                                                                    • Instruction Fuzzy Hash: 444228735186C1CEE331CF64E4406DEBBB0F796748F14920AE7991AA59EB78E284CF05
                                                                                                                    Function 000001845C4E5150 Relevance: 52.7, APIs: 22, Strings: 8, Instructions: 248stringfilethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$Filelstrcmpi$CreateInfoParametersSystemThreadlstrlen$AllocCloseExecutionHandleObjectReadSingleSizeStateWaithtonsmemsetwsprintf
                                                                                                                    • String ID: %s\%s$18.166.104.207$C:\Program Files\Windows Mail$HTTP$PTCP$TCP$UDP$install.cfg
                                                                                                                    • API String ID: 1274318034-3306435476
                                                                                                                    • Opcode ID: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                    • Instruction ID: 279198e5256eebe434b84e88c2fc52f54e3657562092c87de20093b324365a66
                                                                                                                    • Opcode Fuzzy Hash: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                    • Instruction Fuzzy Hash: 2EB19A71600B6687EB54CFA2E844BDEB7A1FB99B84F458325CD4A43754EF38C648C748
                                                                                                                    Function 000001845C4FF890 Relevance: 50.0, APIs: 33, Instructions: 451servicestringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Alloc$CriticalSection$Free$EnterReadServicelstrlenmemcpy$EnumLeaveLocalOpenServicesStatus$CloseConfig2HandleInitializeManagerQuerymemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1976463032-0
                                                                                                                    • Opcode ID: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                    • Instruction ID: a2685cfbf0fc5e2b1515055897b777ef9423c0977dfd28e286cfe3fa25aead5a
                                                                                                                    • Opcode Fuzzy Hash: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                    • Instruction Fuzzy Hash: 3C326B66A14BC587E715CF29D9447EC73A0F7AAB88F54E315CF8912A26EF35A2D4C300
                                                                                                                    Function 000001845C529E90 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 427networkstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$memcpy$closesocketconnectfreeaddrinfogetsocknamehtonssocketstrncpy
                                                                                                                    • String ID: GET$POST$RAW$Unable to connect$client_connect3$conn fail: %d$conn fail: change pollfd$conn fail: insert fd$conn fail: skt creation: errno %d$conn fail: skt options: errno %d$conn fail: sock accept$conn fail: socket bind$lws_free$waiting for event loop watcher to close
                                                                                                                    • API String ID: 3000816023-458479724
                                                                                                                    • Opcode ID: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
                                                                                                                    • Instruction ID: 6006729060838bc4a7cd8bbd2eafa0bd0f939fa7e99a5df2ab3374e1f787e082
                                                                                                                    • Opcode Fuzzy Hash: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
                                                                                                                    • Instruction Fuzzy Hash: 2512C1322107AB83EB65DFA1D4443EDA3A0F7A4B88F449232DE4957699DF38C785C358
                                                                                                                    Function 000001845C4E8780 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 274memoryfilestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$AllocRead$EnterFileFreeLeave$lstrcat$CloseCreateErrorHandleLastSizememset
                                                                                                                    • String ID: @$C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                    • API String ID: 1502650097-1776503346
                                                                                                                    • Opcode ID: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                    • Instruction ID: 8e3b75837cc7b169952f15b97cae5d8daba851652c660947d9d54fbaeab44093
                                                                                                                    • Opcode Fuzzy Hash: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                    • Instruction Fuzzy Hash: EFC1AD32315B9687EB248F29E5447ADA3A0FB9AF84F44C315DE5A03B94DF38C615C709
                                                                                                                    Function 000001845C4E99F0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 175stringclipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen$ByteCharMultiWide$ClipboardVirtual$AllocGlobal$Freememcpy$CloseDataEmptyLockOpenUnlock
                                                                                                                    • String ID: !
                                                                                                                    • API String ID: 17242508-2657877971
                                                                                                                    • Opcode ID: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                    • Instruction ID: 5b9c281e286b791352693fe723b8e59261dbe8a990d5c48c14216bf7fb0d0741
                                                                                                                    • Opcode Fuzzy Hash: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                    • Instruction Fuzzy Hash: 3A71D031200B5683EB18DF62E9447DDB7A5FBA9FC1F848225D94B52BA4DF3CC2058389
                                                                                                                    Function 000001845C4EE210 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 199stringfilesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 491004167-438819550
                                                                                                                    • Opcode ID: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                    • Instruction ID: ced4531eee078bbbe823f11d09c565f9c8d1db08c924db771b935d818814606c
                                                                                                                    • Opcode Fuzzy Hash: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                    • Instruction Fuzzy Hash: 2991AD32300B56C7EB24CF62E9447EDA3A1F799B84F85C226DE4947A98EF38C605C705
                                                                                                                    Function 000001845C4E8230 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320memoryfilestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
                                                                                                                    • String ID: C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                    • API String ID: 1370748441-3904790782
                                                                                                                    • Opcode ID: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                    • Instruction ID: ac4151d6723362a57e44ce5fad30c030c7318ceefd1bcdbb7c1b4b8f14dbfa1b
                                                                                                                    • Opcode Fuzzy Hash: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                    • Instruction Fuzzy Hash: 9EE1BD32710B8683EB258F39E544BADA3A1FB96F84F55D316DA8A03B54EF38C654C704
                                                                                                                    Function 000001845C4F6530 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 173filestringnetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$AllocFree$EnterErrorFileLastRead$CreateLeavehtonslstrcatmemset$CloseDirectoryHandleInitializeWindowsWrite
                                                                                                                    • String ID: 18.166.104.207$\\.\{F8284233-48F4-4680-ADDD-F8284233}$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                    • API String ID: 3655753775-2993865585
                                                                                                                    • Opcode ID: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                    • Instruction ID: 965c3f4858349bc1e6c5326b625feddbe776735589b2fbc3194db656e353939b
                                                                                                                    • Opcode Fuzzy Hash: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                    • Instruction Fuzzy Hash: FE71C232315A6683FB64DF62E8547DEA3A1FB99B84F40C215DA8A43B94DF3CD2548708
                                                                                                                    Function 000001845C4E9190 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 195sleepmemorystringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
                                                                                                                    • String ID: %s%d$:$Inject Test
                                                                                                                    • API String ID: 3230380526-1060902658
                                                                                                                    • Opcode ID: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                    • Instruction ID: e6adcabd7d0182bcec813dbf64fbb96e906a5a8de0cbbcfd531fe0369516a711
                                                                                                                    • Opcode Fuzzy Hash: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                    • Instruction Fuzzy Hash: CB919032705B5683EB14CF66E4047EDA361FBAAF84F44C325DA8A42B55DF3CC2448745
                                                                                                                    Function 000001845C4E9EC0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 152stringmemorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$lstrlen$memset$ByteCharMultiVirtualWideWindow$AllocAttributesCreatePointerProcessWritelstrcat$CloseCountForegroundFreeHandleLocalSessionTextThreadTickTime__chkstkwsprintf
                                                                                                                    • String ID: [Keyboard recording content:]$[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d
                                                                                                                    • API String ID: 599969897-1868071797
                                                                                                                    • Opcode ID: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
                                                                                                                    • Instruction ID: 13cf37d4eb13a2916675e06d7e140b1f935d3c9c174cbcf0b39b325502ee8666
                                                                                                                    • Opcode Fuzzy Hash: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
                                                                                                                    • Instruction Fuzzy Hash: 2D7181326047A6C7E724DF65E8403DEBBA1F795B84F448216E94E87A64DF38C345CB84
                                                                                                                    Function 000001845C4FB2D0 Relevance: 37.9, APIs: 25, Instructions: 372registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2734444383-0
                                                                                                                    • Opcode ID: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                    • Instruction ID: 6a23d256e1bb42cfa1fb084b5c4ea3267bc4720471d036c788e4943138a5079d
                                                                                                                    • Opcode Fuzzy Hash: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                    • Instruction Fuzzy Hash: 4BF16A32310A9187EB64CF62D998ADEB3A1FB8AB85F408115CF5A47B58DF38C215CB04
                                                                                                                    Function 000001845C504FA0 Relevance: 37.7, APIs: 25, Instructions: 205memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent$memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1099351009-0
                                                                                                                    • Opcode ID: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
                                                                                                                    • Instruction ID: aae15803255ae537419887a5efdcd0fe6b9860a4dd9f75eccf2556c079e3fabb
                                                                                                                    • Opcode Fuzzy Hash: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
                                                                                                                    • Instruction Fuzzy Hash: 1EB11D31311F5693EB498F61E9403DDB3A4FB64B80F84C62ADA5993764EF38D664C348
                                                                                                                    Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211servicestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                    • String ID: Schedule
                                                                                                                    • API String ID: 3636854120-2739827629
                                                                                                                    • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                    • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                    • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                    • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700
                                                                                                                    Function 000001845C500810 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 186pipeprocessstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$CreateFreeVirtual$Pipe$InfoProcessStartupThreadlstrcatmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3234776578-3916222277
                                                                                                                    • Opcode ID: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                    • Instruction ID: 195f69f3974edf19b06f0bc45a72e1ee0ede1bc6ee3f15c66d4f30e550075e30
                                                                                                                    • Opcode Fuzzy Hash: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                    • Instruction Fuzzy Hash: 5A914F36601F55D7EB58CFA1E9503AEB3B4FBA8B48F448216DE4953A14DF38C2A4D348
                                                                                                                    Function 000001845C4EEFC0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 179fileprocessmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseErrorHandleLastmemset$CreateFileVirtual$AllocDirectoryFreeProcessWindowsWritelstrcatwsprintf
                                                                                                                    • String ID: \rar.exe$h$rar.exe x "%s" "%s"
                                                                                                                    • API String ID: 2158214755-1420003661
                                                                                                                    • Opcode ID: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
                                                                                                                    • Instruction ID: 13c4dae0dd69ffa497a5841518b047eb64ecbcdff837de447482d044286cd154
                                                                                                                    • Opcode Fuzzy Hash: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
                                                                                                                    • Instruction Fuzzy Hash: 8781AD36614BA287EB24CF71E8447DD73A2F789B88F409225CE4A47B58DF39C294CB04
                                                                                                                    Function 000001845C4E6F60 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 174memoryprocessstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$FreeProcess$Heap$EnterReadSession$CloseCreateHandleLeaveProcess32lstrcat$ActiveConsoleCurrentFirstInitializeNextSnapshotThreadToolhelp32lstrcmpimemcpymemset
                                                                                                                    • String ID: explorer.exe
                                                                                                                    • API String ID: 1072794995-3187896405
                                                                                                                    • Opcode ID: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
                                                                                                                    • Instruction ID: 74feacc48cbaeeab19b68baa34853f68fed8cc1be5774690d8eeb36d5c6b375f
                                                                                                                    • Opcode Fuzzy Hash: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
                                                                                                                    • Instruction Fuzzy Hash: 2071BF31304B96C3EB689F62EA447AEA3B1FB96F90F84C315DA4603B54DF38C2558749
                                                                                                                    Function 000001845C4FCE70 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 109stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Token$CloseHandleOpen$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue$EnumFileImageModulesNamelstrcpymemset
                                                                                                                    • String ID: SeDebugPrivilege$SeTcbPrivilege
                                                                                                                    • API String ID: 4244359295-3171858176
                                                                                                                    • Opcode ID: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
                                                                                                                    • Instruction ID: ef2a62f2c0dc7dc60306aa5917bed49367f64281d3641bfd3baef2ff23772b63
                                                                                                                    • Opcode Fuzzy Hash: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
                                                                                                                    • Instruction Fuzzy Hash: 5F51C431214A5683E764CF61E8447DDA3A0F785BA4F80D316EA5A42AD4DF3CD249CB44
                                                                                                                    Function 000001845C517630 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 274networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: closesocketsetsockopt$ErrorLast$listensocket
                                                                                                                    • String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
                                                                                                                    • API String ID: 3630065070-1684632830
                                                                                                                    • Opcode ID: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                    • Instruction ID: 1fe356cfc8e3046628649643bfdc6f4d08a531d808ad1cc9fc9d6c8218aff512
                                                                                                                    • Opcode Fuzzy Hash: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                    • Instruction Fuzzy Hash: 0DD18E36200AAA83EB54CFA9D4487DDB3B0F758B98F548322DA99477A0DF38C695C744
                                                                                                                    Function 000001845C4EC850 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 244filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$Find$EnterFileRead$LeaveNextlstrcatmemset$CloseFirstInitialize
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 3909642798-438819550
                                                                                                                    • Opcode ID: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                    • Instruction ID: 3f9a4970ea1f289258b1f4b0c7f2ff341f32a00732b0a7ea641c1a7004b2181e
                                                                                                                    • Opcode Fuzzy Hash: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                    • Instruction Fuzzy Hash: C1A1B036311B5283EB68DF62E854BAEA3A5FB8AF84F45C115CE4A43758DF38C644C748
                                                                                                                    Function 000001845C4F1F80 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 212filestringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalFreeSection$Read$EnterFile$CloseHandleLeavelstrcat$CreateInitializeSizememset
                                                                                                                    • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                    • API String ID: 1994389154-229217837
                                                                                                                    • Opcode ID: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
                                                                                                                    • Instruction ID: 7b3e97f455680ae7be2a2fac6f15c66c2f91a79625991a5a31e327933ec5b062
                                                                                                                    • Opcode Fuzzy Hash: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
                                                                                                                    • Instruction Fuzzy Hash: 98917932611B9287EB24CF26E544B9EA7A1FBD9F80F40C315DA8A43B54DF38D654CB08
                                                                                                                    Function 000001845C4EA190 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149filestringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
                                                                                                                    • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                    • API String ID: 573267298-229217837
                                                                                                                    • Opcode ID: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                    • Instruction ID: 42a4e0d55f450d341b4b49debcfe6feca0923fda33b38abcb32a41cf19e2a9fc
                                                                                                                    • Opcode Fuzzy Hash: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                    • Instruction Fuzzy Hash: D061B032614A9683EB248F25E448BDEBB60FB99B88F51C312DA8517B54EF3CC609C744
                                                                                                                    Function 000001845C4E97D0 Relevance: 28.7, APIs: 19, Instructions: 155clipboardstringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$CriticalSectionlstrlen$Global$CloseEnterLeavememcpy$AllocDataEmptyLockOpenUnlockmemcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1993803941-0
                                                                                                                    • Opcode ID: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                    • Instruction ID: b1dc50c6f5c42930abd9b10db83d941278b09f74bdd57d3420d64db0702b670e
                                                                                                                    • Opcode Fuzzy Hash: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                    • Instruction Fuzzy Hash: 21517471201B16C3FE589F62DA447EDA3A1FB65F80F49CA218E0A177E5DF38D6408389
                                                                                                                    Function 000001845C4EF710 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 196memoryinjectionlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
                                                                                                                    • String ID: @$ZwCreateThreadEx$h$ntdll.dll
                                                                                                                    • API String ID: 2541485474-1855171776
                                                                                                                    • Opcode ID: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                    • Instruction ID: acaf1f331a665677eabe1d57eb906a87586180af2aa48ca7fab6b57cd37f8563
                                                                                                                    • Opcode Fuzzy Hash: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                    • Instruction Fuzzy Hash: FA8103327147818BF724CFAAA9407AD6B60F756B88F444329DE9953B89CF38C305C799
                                                                                                                    Function 000001845C4E2B50 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 156comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromString$CreateInitializeInstance
                                                                                                                    • String ID: :_:$:Y:$:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                    • API String ID: 511945936-736265694
                                                                                                                    • Opcode ID: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
                                                                                                                    • Instruction ID: 2f57e5c9e55b5071a815b71d82d623a73189434ff97481f36a55aa279e541026
                                                                                                                    • Opcode Fuzzy Hash: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
                                                                                                                    • Instruction Fuzzy Hash: 5491FC73918BD5CBE3118F79A4016AEBB60F7E5348F14A349EBC566919EB78E580CF00
                                                                                                                    Function 000001845C4EFF40 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 141processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateTokenUser$CloseErrorHandleLastProcess$BlockConvertDuplicateEnvironmentInformationLengthQueryString
                                                                                                                    • String ID: S-1-16-12288
                                                                                                                    • API String ID: 1141289200-1849704789
                                                                                                                    • Opcode ID: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
                                                                                                                    • Instruction ID: 416140f666058c452021d40870dd9c68003e6d40515f9707e28d2dd3b6a9b11b
                                                                                                                    • Opcode Fuzzy Hash: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
                                                                                                                    • Instruction Fuzzy Hash: 64614D36604B55C7EB108FA1E88079EB7B4F799B88F504215EE8953F28DF38D295CB44
                                                                                                                    Function 000001845C4EBFC0 Relevance: 28.0, APIs: 12, Strings: 4, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Event$ClearCloseOpen
                                                                                                                    • String ID: Application$Security$Setup$System
                                                                                                                    • API String ID: 1391105993-476969907
                                                                                                                    • Opcode ID: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
                                                                                                                    • Instruction ID: eb4902bacb9716d8a145958cfeb9317bf8f19d3fd096ca1d6c3070a3bf0b52cc
                                                                                                                    • Opcode Fuzzy Hash: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
                                                                                                                    • Instruction Fuzzy Hash: 4B11C174601F27C3FE1D9FB6B95839D92916F5DF41F88C725880A86350EE3CC2498348
                                                                                                                    Function 000001845C4FAD30 Relevance: 27.3, APIs: 18, Instructions: 252networkthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual$EventEvents$CreateCriticalEnumMultipleNetworkSectionSelectWait$CurrentEnterLeaveReadThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4074094491-0
                                                                                                                    • Opcode ID: 0f0ffae681726fcd768551af21c48319e4c13f85f93b30996a74dbc28cd3cd94
                                                                                                                    • Instruction ID: bf414f5f577f3c91212c2572975033aaa3508c88342c5e267bcccb2187cf9eef
                                                                                                                    • Opcode Fuzzy Hash: 0f0ffae681726fcd768551af21c48319e4c13f85f93b30996a74dbc28cd3cd94
                                                                                                                    • Instruction Fuzzy Hash: E4B1BC32301B4687EB64DF56E444BAEB3A4FB8AF90F44C211DE9A47B94DF38C6458748
                                                                                                                    Function 000001845C4F4FC0 Relevance: 25.7, APIs: 17, Instructions: 224memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalFreeSection$Read$Enter$CloseHandleInitializeLeave$CreateEventMultipleObjectsWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1725847572-0
                                                                                                                    • Opcode ID: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
                                                                                                                    • Instruction ID: 8f6bb53bc42ec199e4724ec7b564416bd44402f651e95579e9cb261f1b04432c
                                                                                                                    • Opcode Fuzzy Hash: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
                                                                                                                    • Instruction Fuzzy Hash: 49A14536201B4187EB58CF62E494BAD73A4FB99F84F45C225CE4A43B58DF38D664C788
                                                                                                                    Function 000001845C503760 Relevance: 25.7, APIs: 17, Instructions: 183filememoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$Free$FileRead$EnterErrorLast$Leavefree$CreateInitializePointerSizemallocmemcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1128571104-0
                                                                                                                    • Opcode ID: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                    • Instruction ID: 56ecf1c5cd5917ef1a6a3e50233193b740224f56fd51ad1ba04a06ec013d7fe3
                                                                                                                    • Opcode Fuzzy Hash: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                    • Instruction Fuzzy Hash: DD71AB36305B9187EB64CFA2E95479EB3A1FB99F94F408215CE8A43B54DF38C249CB44
                                                                                                                    Function 000001845C4F1A10 Relevance: 25.7, APIs: 17, Instructions: 178networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EventEvents$FreeVirtual$CreateEnumMultipleNetworkSelectWaitmemset$Cancel__chkstkclosesocketrecv
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3006828577-0
                                                                                                                    • Opcode ID: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
                                                                                                                    • Instruction ID: 504ac75545cdacc18b651341fdd4bd4d027158b93bafea95c5984a6e3951eabc
                                                                                                                    • Opcode Fuzzy Hash: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
                                                                                                                    • Instruction Fuzzy Hash: E0710532300B9283EB648F66E454BDEA7A1F796F90F54C211DE5A837A4DF38D645CB08
                                                                                                                    Function 000001845C4FE010 Relevance: 25.7, APIs: 17, Instructions: 170keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$BlockInput$Virtualkeybd_event
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4019288356-0
                                                                                                                    • Opcode ID: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                    • Instruction ID: 918ee9a51b7a60b8374d9d6ebde108e903eec850dbd254bbaf804c873493088e
                                                                                                                    • Opcode Fuzzy Hash: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                    • Instruction Fuzzy Hash: 1461353261469583E3698F31E848BEEB3A1FB9AB41F54D712DE4A02764DF39E684C704
                                                                                                                    Function 000001845C526670 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 258stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: strchr
                                                                                                                    • String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
                                                                                                                    • API String ID: 2830005266-2525933588
                                                                                                                    • Opcode ID: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                    • Instruction ID: eb042f112b405d42970fb4d10b27aaa805432e48b5306107ca279fd786b04090
                                                                                                                    • Opcode Fuzzy Hash: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                    • Instruction Fuzzy Hash: 52A139323045AE87FB258AA994043EEE6D1E7627A4F54C311EAA747AD5CF34C74DC309
                                                                                                                    Function 000001845C4F1520 Relevance: 24.1, APIs: 16, Instructions: 140networkmemorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalFreeSection$AllocCreateEnterErrorLastLeaveReadThreadbindhtonlhtonsinet_addrlistenmemsetsetsockoptsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1206800484-0
                                                                                                                    • Opcode ID: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                    • Instruction ID: 146eac22565008005cee9a6c6ad73e16a5ea5b03e05acc432e8544318c3dd6da
                                                                                                                    • Opcode Fuzzy Hash: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                    • Instruction Fuzzy Hash: 89517E32304B5183E7298F61E8447DDB3B0FB99F85F848226DA4A43B94DF38D655CB48
                                                                                                                    Function 000001845C50DE00 Relevance: 22.9, APIs: 1, Strings: 14, Instructions: 382stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetstrcmp
                                                                                                                    • String ID: %s/%s/%s/%s$MQTT$No vhost in the context$YZ[\X]^_RAW$default$free$lws not configured for tls$lws_client_connect_via_info$lws_free$no vhost$novh$raw-proxy$system$unable to bind to role
                                                                                                                    • API String ID: 195427100-1777779229
                                                                                                                    • Opcode ID: 0a50994659bfa9390f8cb93d3ee09e1d8e146c54073cf66cc204a343bb942911
                                                                                                                    • Instruction ID: 623812f0dcc70c7c7c94888e90ada3572bceb521601ca4896345ed8db2f20e86
                                                                                                                    • Opcode Fuzzy Hash: 0a50994659bfa9390f8cb93d3ee09e1d8e146c54073cf66cc204a343bb942911
                                                                                                                    • Instruction Fuzzy Hash: 6B027932200BAA87EB558F65E4403EDB7A0F754B88F588236DF8997794DF38D265C318
                                                                                                                    Function 000001845C4F30FE Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual$freemalloc$GroupLocalMembersSleepUser
                                                                                                                    • String ID: Administrators
                                                                                                                    • API String ID: 2980277588-3395160503
                                                                                                                    • Opcode ID: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                    • Instruction ID: 7f0eb42ef3a2b1dc8275282ab70d489c33b33ec921b62a8b32e3714893444961
                                                                                                                    • Opcode Fuzzy Hash: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                    • Instruction Fuzzy Hash: 18517C32B00B118BEB148F76D8547EC73A5FB9AF88F54C225DE0A06B58DE38D645C748
                                                                                                                    Function 000001845C4E1AE0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memorynativesynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                    • String ID: taskmgr.exe
                                                                                                                    • API String ID: 441768363-4156271273
                                                                                                                    • Opcode ID: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                    • Instruction ID: 1b7a588056662e0521b71279a17d26c24fa119c3df4650cc48e6eba33a4f8c63
                                                                                                                    • Opcode Fuzzy Hash: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                    • Instruction Fuzzy Hash: A641D13170565A87EB249F52E910BEEFB61BB95FC0F41C219DE0647AA4EF38CA04C749
                                                                                                                    Function 000001845C4EAAD0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
                                                                                                                    • String ID: Session Logon
                                                                                                                    • API String ID: 1979525249-2950959013
                                                                                                                    • Opcode ID: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                    • Instruction ID: 3b39acc451c527ce0e4eb6d3d9a15779dd2be55a3b5eaaad88078396fc7016a3
                                                                                                                    • Opcode Fuzzy Hash: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                    • Instruction Fuzzy Hash: 4041B732608B9683E714CF65F8447AEF3A1F799B40F55C325EA8943A24DF78C184CB44
                                                                                                                    Function 000001845C4E7FA0 Relevance: 19.7, APIs: 13, Instructions: 166memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterFreeRead$Leave$Initialize$CreateCurrentEventThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3016386783-0
                                                                                                                    • Opcode ID: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
                                                                                                                    • Instruction ID: af61751120165cb8fc783ca81390772a6040e8cdca490891c873c0b323573639
                                                                                                                    • Opcode Fuzzy Hash: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
                                                                                                                    • Instruction Fuzzy Hash: DE717E32301F4187EB24CF62E844A9EB3A4FB59B80F45C225DB8A43B64DF38D654C748
                                                                                                                    Function 000001845C4EAE40 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80windowclipboardregistryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$ClipboardWindow$ChainChangeClassCreateDispatchHandleModuleRegisterShowTranslateViewer
                                                                                                                    • String ID: CutActive
                                                                                                                    • API String ID: 3542119435-15800375
                                                                                                                    • Opcode ID: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
                                                                                                                    • Instruction ID: 3663677eddb6b03fe7759d6a36ba088d49a2a577da9a65aefe9821815b669846
                                                                                                                    • Opcode Fuzzy Hash: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
                                                                                                                    • Instruction Fuzzy Hash: 58418532618BD683EB24CF61F85479EB3A1F799B80F558225DA8D42A14EF3DC184C744
                                                                                                                    Function 000001845C4FAA30 Relevance: 18.2, APIs: 12, Instructions: 204memorythreadnetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • getaddrinfo.WS2_32 ref: 000001845C4FAAA4
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FAAC9
                                                                                                                    • htons.WS2_32 ref: 000001845C4FAADD
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FAC00
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FAC30
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FAC46
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FAC70
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4FAC9B
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4FACB0
                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 000001845C4FACC3
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4FACDA
                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 000001845C4FACFE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$CreateInitializeThreadgetaddrinfohtons
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 900205276-0
                                                                                                                    • Opcode ID: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
                                                                                                                    • Instruction ID: 1c931d47df7b336cd53fdfb48b850c2f16fbd119a9977fbbd793ccb245af656c
                                                                                                                    • Opcode Fuzzy Hash: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
                                                                                                                    • Instruction Fuzzy Hash: EB918B72710B418BEB14DF62E418BAD73A5FB89F88F45822ADE4A43B58DF38C245C344
                                                                                                                    Function 000001845C4E3E10 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 271memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E3E86
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E3FAD
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E3FC6
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E3FDC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E40E0
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E410A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E411B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E4006
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E41CF
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E41F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 3336294232-336475711
                                                                                                                    • Opcode ID: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                    • Instruction ID: 685fc38c0d911349fd87c2835b13a67a1a30148a648e8f90b231413cccf58c4b
                                                                                                                    • Opcode Fuzzy Hash: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                    • Instruction Fuzzy Hash: 0EB1AC32710B9283EB258F2AE4147ADA7A0FBDAF84F15E325DE8A43745DF38C6458744
                                                                                                                    Function 000001845C4EFD10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ErrorLastOpenToken$AdjustCloseCurrentHandleLookupPrivilegePrivilegesValue
                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                    • API String ID: 3627867324-2896544425
                                                                                                                    • Opcode ID: 6f061aaa7941448df92f5fc4232100a70558b149b3d13a2c200e355258010a89
                                                                                                                    • Instruction ID: b85d37961887c7cb03bc1cb507477426d49222c58eefdbd40bc23f47aed86f2c
                                                                                                                    • Opcode Fuzzy Hash: 6f061aaa7941448df92f5fc4232100a70558b149b3d13a2c200e355258010a89
                                                                                                                    • Instruction Fuzzy Hash: 5A21B135214B5283E7548F51F40478EB7A1E785FB4F448316AAAA43BD4CF3CC1448B84
                                                                                                                    Function 000001845C4F6200 Relevance: 15.1, APIs: 10, Instructions: 118clipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F624A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6274
                                                                                                                    • OpenClipboard.USER32 ref: 000001845C4F6302
                                                                                                                    • GlobalAlloc.KERNEL32 ref: 000001845C4F631A
                                                                                                                    • GlobalLock.KERNEL32 ref: 000001845C4F632B
                                                                                                                    • GlobalUnlock.KERNEL32 ref: 000001845C4F6349
                                                                                                                    • SetClipboardData.USER32 ref: 000001845C4F6357
                                                                                                                    • CloseClipboard.USER32 ref: 000001845C4F635D
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6373
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F639D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$Free$ClipboardEnterGlobalRead$Leave$CloseDataInitializeLockOpenUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1362927461-0
                                                                                                                    • Opcode ID: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                    • Instruction ID: 6a1cd5239c2ca24f3ee405dbb46f653f7c433c00ab210cdc760d75b636c36316
                                                                                                                    • Opcode Fuzzy Hash: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                    • Instruction Fuzzy Hash: FD419D32714B5187EB689F62E5447ADA3A1FB99F80F44C215CF8A43F54DF38E1648744
                                                                                                                    Function 000001845C534130 Relevance: 15.1, APIs: 10, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2775880128-0
                                                                                                                    • Opcode ID: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                    • Instruction ID: 27ebbffaea827c617bd983f710878e3bd9c36bef7910576fa75691c9a5b2d7d9
                                                                                                                    • Opcode Fuzzy Hash: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                    • Instruction Fuzzy Hash: 4C416332A04B9687E750CFA4E8503EE7370F7A9B48F40922ADB8D47A55EF78C294C744
                                                                                                                    Function 000001845C4FD060 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2659350385-0
                                                                                                                    • Opcode ID: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                    • Instruction ID: 3dc81cdd53c4f2a7e888584ed1a38093cc0198b60a4a9c54028e2269cf17ae15
                                                                                                                    • Opcode Fuzzy Hash: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                    • Instruction Fuzzy Hash: 39218735714A6583EB488FA6F98466D93A0FB9CFD4F449121EE0A43B15DF3CD5858B08
                                                                                                                    Function 000001845BF30E10 Relevance: 13.9, Strings: 11, Instructions: 162COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                    • API String ID: 0-2205580742
                                                                                                                    • Opcode ID: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                    • Instruction ID: dcab3b9f2db7d9d944fb45beb8de10387a31829edead7d99da5042bcf1608516
                                                                                                                    • Opcode Fuzzy Hash: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                    • Instruction Fuzzy Hash: 9791EE73D18BD58BE311CF7994016AEBB70F795348F14A349EA846691AEF78E680CF00
                                                                                                                    Function 000001845C4FA7F0 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1263568516-0
                                                                                                                    • Opcode ID: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                    • Instruction ID: f6eb2573d363cded6fe95f836757bdf273038e96beced32d72862337af752f53
                                                                                                                    • Opcode Fuzzy Hash: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                    • Instruction Fuzzy Hash: D8518D76301B1197EB18DF62E654BAD63A1FB8AF81F048125CF4A43F54DF38D2668718
                                                                                                                    Function 000001845C4F6810 Relevance: 13.7, APIs: 9, Instructions: 162stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • NetUserEnum.NETAPI32 ref: 000001845C4F688C
                                                                                                                    • lstrlenW.KERNEL32 ref: 000001845C4F68CE
                                                                                                                    • NetApiBufferFree.NETAPI32 ref: 000001845C4F6929
                                                                                                                    • malloc.MSVCRT ref: 000001845C4F6945
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F69F7
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6A21
                                                                                                                    • free.MSVCRT ref: 000001845C4F6A2A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6A54
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6A7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$BufferEnumInitializeUserfreelstrlenmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1638303497-0
                                                                                                                    • Opcode ID: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                    • Instruction ID: dd10ea7b3c2bba1f027ea9623fac76b984904199cfbfb28225e1ccd5fe8b74d0
                                                                                                                    • Opcode Fuzzy Hash: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                    • Instruction Fuzzy Hash: C3617C32715B9187EB64CF22E4447AEB3A4FB8AF80F449225DE8A43B58DF38D544CB44
                                                                                                                    Function 000001845C514F90 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 431COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: shutdown
                                                                                                                    • String ID: Closed before conn$__lws_close_free_wsi$closed before established$free$general child recurse$lws_free
                                                                                                                    • API String ID: 2510479042-3708836321
                                                                                                                    • Opcode ID: 08e54d8c4f49b821f84dbb9f750c2f7eac050acfd9fd38b8d044c5e5df543ded
                                                                                                                    • Instruction ID: 94f7ec45d06a3293dabecfbd49f2ccdf268985f4c2a8a02a54249f6910331090
                                                                                                                    • Opcode Fuzzy Hash: 08e54d8c4f49b821f84dbb9f750c2f7eac050acfd9fd38b8d044c5e5df543ded
                                                                                                                    • Instruction Fuzzy Hash: 8312AF722007AA83EB558FA5D4583EDA3A0F760F8CF88C235DE994B299CF74C645C758
                                                                                                                    Function 000001845C4F5A10 Relevance: 12.7, APIs: 10, Instructions: 170memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5A64
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5A8E
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F5AA5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5B6E
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5B98
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5BBD
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5BE7
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5C0A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5C34
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5C6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 529218107-0
                                                                                                                    • Opcode ID: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
                                                                                                                    • Instruction ID: d77c795bbfeee55b1c1bad1db8ddf330eba1108143439f03d8c12ca37df1a829
                                                                                                                    • Opcode Fuzzy Hash: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
                                                                                                                    • Instruction Fuzzy Hash: 9C714031311F4187EB68DF62E494A9EB3A4FB99F80F48C225CE8A43B14DF39D6518748
                                                                                                                    Function 000001845C51A830 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: socket$bindgetsocknamehtonl
                                                                                                                    • String ID: %s: failed$lws_plat_pipe_create
                                                                                                                    • API String ID: 858234250-3012564250
                                                                                                                    • Opcode ID: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                    • Instruction ID: e56d15a3d0c2a346d4f0be43648e63a54c82e87047881d79e2e76e20361681b2
                                                                                                                    • Opcode Fuzzy Hash: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                    • Instruction Fuzzy Hash: 25216232710AA583E7448F64E4483CE7364E754FA8F585336EAA9477E8DF38C681C745
                                                                                                                    Function 000001845C502660 Relevance: 12.2, APIs: 8, Instructions: 180commemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1458724981-0
                                                                                                                    • Opcode ID: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                    • Instruction ID: 836725aef252814901cf1f9262082927fa5013ba6106a535212241d80c907915
                                                                                                                    • Opcode Fuzzy Hash: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                    • Instruction Fuzzy Hash: 3481B032604BA5C7EB14CFA6E84869DB3B5FB98F85F418216EE4947B18DF38C245CB40
                                                                                                                    Function 000001845C503E20 Relevance: 12.1, APIs: 8, Instructions: 73networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsOverlappedRecvResultWaitmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3426673637-0
                                                                                                                    • Opcode ID: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
                                                                                                                    • Instruction ID: b8f4fa9600df94259bd9694fa8f0a63cf0eb0a838cd8379cb399b7518a8b0793
                                                                                                                    • Opcode Fuzzy Hash: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
                                                                                                                    • Instruction Fuzzy Hash: 8E319032204B9687EB20CFA1F440BCEB7A4F798784F509226EB8853A24DF78C655CB44
                                                                                                                    Function 000001845C4FF1B0 Relevance: 12.1, APIs: 8, Instructions: 68clipboardsleepmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataErrorLastLockOpenSleepUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3499886738-0
                                                                                                                    • Opcode ID: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                    • Instruction ID: c7834fdd0390849f527c64f4636d572cb6a35cbe4a999f0225b72d893020673c
                                                                                                                    • Opcode Fuzzy Hash: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                    • Instruction Fuzzy Hash: 3621C43632469183EB58DF61F48465DA3A0F789F80F849225EE4743B58DF3CD995CB44
                                                                                                                    Function 000001845C505AD0 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • EnumWindows.USER32 ref: 000001845C505B00
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505BC1
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505BEB
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505C01
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505C2B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505C41
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C505C6B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSectionVirtual$Alloc$EnterRead$FreeLeave$EnumInitializeWindows
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3069422982-0
                                                                                                                    • Opcode ID: 2f14e0084ba98971cf671132d363b589f5a96daa3a02d213b3cc35717dadf936
                                                                                                                    • Instruction ID: 9297f04994ef853b59edc562f4bb21ddf5ef04fdb3750c8d0dc014cf5318b814
                                                                                                                    • Opcode Fuzzy Hash: 2f14e0084ba98971cf671132d363b589f5a96daa3a02d213b3cc35717dadf936
                                                                                                                    • Instruction Fuzzy Hash: 3941CF32311B1187EB68DF63E858A5EB3A5FB89F80B86C115DE8A43B14DF38D245C748
                                                                                                                    Function 000001845C4F4080 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95librarymemoryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressAllocFreeLoadProcVirtual
                                                                                                                    • String ID: SetProcessDPIAware$user32.dll
                                                                                                                    • API String ID: 3041263384-1137607222
                                                                                                                    • Opcode ID: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                    • Instruction ID: 79675da56a16de244377e4484ae897b5aca5542dcc9b181d62b1d0baeac49688
                                                                                                                    • Opcode Fuzzy Hash: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                    • Instruction Fuzzy Hash: 43515435212F8697EB459F60E880BDD33E9FB09B45F989736C94D06364EF389258C368
                                                                                                                    Function 000001845C4FCD30 Relevance: 10.6, APIs: 7, Instructions: 70stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlenwcsncmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1240803607-0
                                                                                                                    • Opcode ID: f5144d0f8da87860272a3bab1dd78902ada191ba324fd56ce968b0d5fe92846b
                                                                                                                    • Instruction ID: 685312c43e9ecb441297793f1e00e2db0b6edeae11e4694d384c66e6bdf61e0a
                                                                                                                    • Opcode Fuzzy Hash: f5144d0f8da87860272a3bab1dd78902ada191ba324fd56ce968b0d5fe92846b
                                                                                                                    • Instruction Fuzzy Hash: F2319376214A9293EA748F11E8007EE7361FB84FC5F848226DE8947B58EF3CC655CB44
                                                                                                                    Function 000001845C4F05A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
                                                                                                                    • String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                    • API String ID: 2589617790-329358119
                                                                                                                    • Opcode ID: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                    • Instruction ID: 428480ea852dab226c5e4595e6cff94183beb8e87ffc1a5379930d7a05a665a3
                                                                                                                    • Opcode Fuzzy Hash: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                    • Instruction Fuzzy Hash: 0E112636218A9183E7618B90F8447CAB3A0F7D9744F948226EA8943B58DF7DC248CB44
                                                                                                                    Function 000001845C4F57C0 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5814
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F583E
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F5855
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F594C
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5976
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F599B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F59C5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F59EA
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                    • Instruction ID: bb393b75247a710a1a8de15f26fa3ebb08409bfb7f5e40095d8d8476c63545f3
                                                                                                                    • Opcode Fuzzy Hash: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                    • Instruction Fuzzy Hash: B9613B36301F5187EB68DF62E494A9EB3A5FB99B80F45C225CE8A43B14DF38D254C748
                                                                                                                    Function 000001845C4F5340 Relevance: 10.1, APIs: 8, Instructions: 149memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5394
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F53BE
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F53D5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F54C1
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F54EB
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5510
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F553A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F555F
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                    • Instruction ID: 7c1ca102a37f1e6b7ba3e6a967b8e7008370b7aeb40131eb1da9629f46fb4d08
                                                                                                                    • Opcode Fuzzy Hash: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                    • Instruction Fuzzy Hash: 4A614D36311F4187EB64DF62E494A9EB3A5FB99B80F45C225CE8A43B14DF38E254C748
                                                                                                                    Function 000001845C4F4D90 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4DE4
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4E0E
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F4E25
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4EFB
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4F25
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4F4A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4F74
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4F99
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
                                                                                                                    • Instruction ID: 4b46c0b862d2478ee9667a801caf52cbfe3f92598fb15ed89ebf88f1d39863b9
                                                                                                                    • Opcode Fuzzy Hash: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
                                                                                                                    • Instruction Fuzzy Hash: 82513936311F4187EB64CF62E454A9EB3A5FB99B80F45C225DE8A43B14DF39E2508748
                                                                                                                    Function 000001845C4F5590 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F55E4
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F560E
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F5625
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F56FB
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5725
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F574A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5774
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5799
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                    • Instruction ID: 807de75ceb3c72c2e28623555a95dc77b249acc624efcd4a7de5c9c38e7d0a85
                                                                                                                    • Opcode Fuzzy Hash: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                    • Instruction Fuzzy Hash: 66515A32711F4287EB64DF62E494A9EB3A5FB89B80F45C225DE8A43B14DF38D254C748
                                                                                                                    Function 000001845C4F4700 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4754
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F477E
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F4795
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F486B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4895
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F48BA
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F48E4
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4909
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                    • Instruction ID: a345856d8bdf946714216f5c05df4beef8978860a06d23c120fadd271a3137e3
                                                                                                                    • Opcode Fuzzy Hash: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                    • Instruction Fuzzy Hash: 7F514B36311F4187EB64DF62E454A9EB3A5FB99B80F45C225CE8A43B14DF38E254C748
                                                                                                                    Function 000001845C4F4930 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4984
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F49AE
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F49C5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4A90
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4ABA
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4ADF
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4B09
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4B2E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                    • Instruction ID: 198f30afb120615c013f4b2ddeceb5fbcc42efe3d3a757dbe664e20affcfaa7f
                                                                                                                    • Opcode Fuzzy Hash: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                    • Instruction Fuzzy Hash: 04516932701F4187EB68CF62E454A9EB3A4FB89B80F45C225DE8A03B14DF38E2508748
                                                                                                                    Function 000001845C4F4B60 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4BB4
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                      • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                      • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                      • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4BDE
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F4BF5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4CC0
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4CEA
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4D0F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4D39
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4D5E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 948184506-0
                                                                                                                    • Opcode ID: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
                                                                                                                    • Instruction ID: d6893d842b8d5dbebf201952d41a42409f80e8b7f9aca544400a0b7bbc53e884
                                                                                                                    • Opcode Fuzzy Hash: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
                                                                                                                    • Instruction Fuzzy Hash: 00515B32311F4187EB64CF62E454A9EB3A4FB99B80F45D225DF8A43B14DF38E2508748
                                                                                                                    Function 000001845C4E2830 Relevance: 7.6, APIs: 5, Instructions: 53memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule$ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3544755384-0
                                                                                                                    • Opcode ID: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                    • Instruction ID: 7bffd8782f61dc45d7f2c37fbeda79c48e64136402236ab625615e33cd4500db
                                                                                                                    • Opcode Fuzzy Hash: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                    • Instruction Fuzzy Hash: 2521C03261274AC3EB688F54F94479DB3A0F759B89F458226DA4A03754DF3CD690C784
                                                                                                                    Function 000001845C5067B8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 410COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: header crc mismatch$unknown compression method$unknown header flags set
                                                                                                                    • API String ID: 0-1578397619
                                                                                                                    • Opcode ID: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
                                                                                                                    • Instruction ID: 5a0ef0aca7786ef8a843f3365bd58339cd70752a9b5798574b4149ddb89ca930
                                                                                                                    • Opcode Fuzzy Hash: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
                                                                                                                    • Instruction Fuzzy Hash: 0002A17260076A8BF7298F66C2843AD7BB0F724748F148618CF59A7B90DF74D668C748
                                                                                                                    Function 000001845C4EDDD0 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalFreeSection$AllocCreateEnterFileFindFirstLeaveReadThreadfreemallocmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4255097067-0
                                                                                                                    • Opcode ID: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
                                                                                                                    • Instruction ID: d569cb462e09c56cbb76818401c7c7dc9f4f1452740e2df1616fdfe809ce6b03
                                                                                                                    • Opcode Fuzzy Hash: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
                                                                                                                    • Instruction Fuzzy Hash: FF219F36301A8583EB609F22D94879D63A4F799FC4F558232CE9A47748DF3DCA49CB40
                                                                                                                    Function 000001845BF52F98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfffffff
                                                                                                                    • API String ID: 3215553584-1523873471
                                                                                                                    • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction ID: bbbae7935abc3b7bee493bde96c9e43f93909778a7fcba09dae96741df72da8d
                                                                                                                    • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction Fuzzy Hash: BC912373B057C987EB15CB2EA4103EDBBA5A755B84F05C022CA9A877D5EF39C606CB01
                                                                                                                    Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfffffff
                                                                                                                    • API String ID: 3215553584-1523873471
                                                                                                                    • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                    • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                    • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                    Function 000001845C4E38D0 Relevance: 5.2, APIs: 4, Instructions: 215memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocFree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2087232378-0
                                                                                                                    • Opcode ID: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                    • Instruction ID: 832a3f2e7a29a9836b83f5af69bbcdbb0820ccca9b864b8a6bee79e322215e6f
                                                                                                                    • Opcode Fuzzy Hash: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                    • Instruction Fuzzy Hash: 13810432710B8183EB15DF36D6446AEA791FBDAB80F01E715DE8A53B41EF38D2868705
                                                                                                                    Function 000001845C4F7E20 Relevance: 4.5, APIs: 3, Instructions: 36pipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NamedPipe$ConnectCreateErrorLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3851520242-0
                                                                                                                    • Opcode ID: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                    • Instruction ID: d9c12c89d9cff51a6c4af6bfd7129be2dfa45d5945386ed6c289375d7cf0e034
                                                                                                                    • Opcode Fuzzy Hash: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                    • Instruction Fuzzy Hash: 2901D432204A4183D710CF56F90029DF2A4EB98BF4F448322EA69437A4DF78C9548B08
                                                                                                                    Function 000001845C4E3330 Relevance: 64.1, APIs: 51, Instructions: 358memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3051317124-0
                                                                                                                    • Opcode ID: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                    • Instruction ID: 7fcc51e74507427d558d06e0d646cb2ec922c2a7f3a1789315711da78935eff0
                                                                                                                    • Opcode Fuzzy Hash: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                    • Instruction Fuzzy Hash: A7F13C31200B41C7EB5A8F22E9107AD73A4FB59F84F89D626DE4A47794DF38C654C349
                                                                                                                    Function 000001845C4F0FA0 Relevance: 45.6, APIs: 25, Strings: 1, Instructions: 113filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$memset$wsprintf$AttributesDeleteMovelstrlen$Virtuallstrcpy$AllocByteCharCopyFreeMultiPathRemoveSpecWide
                                                                                                                    • String ID: %s\%s
                                                                                                                    • API String ID: 467509054-4073750446
                                                                                                                    • Opcode ID: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
                                                                                                                    • Instruction ID: 0557462e2511f5fdd9916bff3470d00ad16a0ddd7caf4ebb016a5b5eb61b28a1
                                                                                                                    • Opcode Fuzzy Hash: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
                                                                                                                    • Instruction Fuzzy Hash: B4512A32210AABA7EB24DFA4DC547DD6361F7A5B48FC19213D50D8B969EE38C309C780
                                                                                                                    Function 000001845C4E4D20 Relevance: 31.7, APIs: 21, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$FreeVirtual$CriticalDeleteSection$Event
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 10935847-0
                                                                                                                    • Opcode ID: 27ff84aaf12ebd0a39dbd24038505bf2bb04301d1514b24ab1ddd3ff12eebcae
                                                                                                                    • Instruction ID: 878d955f54ccf8eb58f1fe1b9ac43e9657c8cbf8da68984dc8bc3e2cc9aeeafa
                                                                                                                    • Opcode Fuzzy Hash: 27ff84aaf12ebd0a39dbd24038505bf2bb04301d1514b24ab1ddd3ff12eebcae
                                                                                                                    • Instruction Fuzzy Hash: 3A817C35302A12C7EB68CFA2E550BADB3A0FB95F44F49D615CB4A43A54CF38D650C399
                                                                                                                    Function 000001845C502DE0 Relevance: 30.1, APIs: 20, Instructions: 143memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$CreateEventInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3948381741-0
                                                                                                                    • Opcode ID: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
                                                                                                                    • Instruction ID: e710c07821e30283075fa70c01753ab7e82c8e3fa00fb2e101763f28d25c6838
                                                                                                                    • Opcode Fuzzy Hash: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
                                                                                                                    • Instruction Fuzzy Hash: 5B615A31311F5583EB498F61E9103ADB3A4F768F80F84C626DA5A93B94DF38DA65C348
                                                                                                                    Function 000001845C4FD5A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 124memorycomCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
                                                                                                                    • String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
                                                                                                                    • API String ID: 2562062002-1644180588
                                                                                                                    • Opcode ID: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                    • Instruction ID: 67b64ffcbd2fd57c0f05b0eb1cf820b9490b20c5a33cf506ac8011a674157a0f
                                                                                                                    • Opcode Fuzzy Hash: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                    • Instruction Fuzzy Hash: F251DF76700B558BEB00DF66E88429C77B0F798F88F508626DA5A47B28DF38C619CB45
                                                                                                                    Function 000001845C4F36D0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 69synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
                                                                                                                    • String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
                                                                                                                    • API String ID: 1631145905-82101934
                                                                                                                    • Opcode ID: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                    • Instruction ID: 855e2c70c8fcbaaf044d8c01572b3bbabff9e8fd249cbb87d63b95a198d7cec9
                                                                                                                    • Opcode Fuzzy Hash: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                    • Instruction Fuzzy Hash: 4131D372300A9683EB249F62EC447DEA3A1F7A5F88F44C221C94A43769DF3CC649CB54
                                                                                                                    Function 000001845C4F1760 Relevance: 25.7, APIs: 17, Instructions: 151networkmemorysleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSectionVirtual$Alloc$EnterReadsetsockopt$Leave$accept$CancelCreateFreeInitializeIoctlSleepThreadclosesocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 241427152-0
                                                                                                                    • Opcode ID: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                    • Instruction ID: 6cd1a3acc32c5b153c1e9818a603772dd601a56ec0a2500606ee99b1b1986fee
                                                                                                                    • Opcode Fuzzy Hash: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                    • Instruction Fuzzy Hash: 49619072204B9287E7248F51E404B9EB7B4F789B84F448225DF8A07B54CF3DD659CB48
                                                                                                                    Function 000001845C504DA0 Relevance: 25.6, APIs: 17, Instructions: 124memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504DB7
                                                                                                                    • InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504DEF
                                                                                                                    • CreateEventW.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E01
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E1C
                                                                                                                    • InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E2E
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C504E49
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E5C
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E73
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EA2
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C504EB4
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EC7
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EDE
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F0D
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C504F1F
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F32
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F49
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F78
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3934889794-0
                                                                                                                    • Opcode ID: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
                                                                                                                    • Instruction ID: 6696c874fd5983120837ab6dd2d448884f2ea31bdb7d655246a8b214461c05c5
                                                                                                                    • Opcode Fuzzy Hash: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
                                                                                                                    • Instruction Fuzzy Hash: E3516332310F5583EB498F61E9003ADB3A4F768F84F84C626DA5983B94DF38D664C344
                                                                                                                    Function 000001845C500F20 Relevance: 25.6, APIs: 17, Instructions: 104pipethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$DisconnectNamedPipe$Terminate$FreeThreadVirtual$CriticalDeleteProcessSection
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2021643575-0
                                                                                                                    • Opcode ID: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
                                                                                                                    • Instruction ID: 7e1a62af1d704765280f64b6cb085d0335ad0aaffd0a6fc60902fa5da5ef2e7a
                                                                                                                    • Opcode Fuzzy Hash: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
                                                                                                                    • Instruction Fuzzy Hash: 8F412B35202A6683FF58CFA2D56036DA364FFA4F88F08C616DE4A42A54CF38C551D399
                                                                                                                    Function 000001845C512B20 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 347COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID: %s|%s|%d$OOM$default$ener)$http_proxy$init server failed$lws_create_vhost$lws_free$lws_protocol_init failed$port %u$same vh list$vh plugin table$|%s$|%u
                                                                                                                    • API String ID: 3510742995-1324429581
                                                                                                                    • Opcode ID: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
                                                                                                                    • Instruction ID: 5e00151059da1ab7c5e5c270476b7771a355b4ad3b78c73f18ed2614c4a0ab7d
                                                                                                                    • Opcode Fuzzy Hash: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
                                                                                                                    • Instruction Fuzzy Hash: 05025932201B9A97EB54CF65D8843EDB3A0F768B88F948226DE8D47795EF38D651C304
                                                                                                                    Function 000001845C4E7240 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96synchronizationpipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4E725A
                                                                                                                      • Part of subcall function 000001845C4F8120: VirtualAlloc.KERNEL32(?,?,00000000,000001845C4F6D58), ref: 000001845C4F8137
                                                                                                                      • Part of subcall function 000001845C4F8120: InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C4F6D58), ref: 000001845C4F8165
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • memset.NTDLL ref: 000001845C4E7295
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4E729A
                                                                                                                    • wsprintfW.USER32 ref: 000001845C4E72B6
                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 000001845C4E72D3
                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 000001845C4E731B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E733A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E7364
                                                                                                                    • DisconnectNamedPipe.KERNEL32 ref: 000001845C4E737B
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4E738A
                                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 000001845C4E7398
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E73A9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
                                                                                                                    • String ID: \\.\Pipe\%d_Local_%d
                                                                                                                    • API String ID: 2297721380-251893267
                                                                                                                    • Opcode ID: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                    • Instruction ID: c5ac6a36f550d9636fa504cc26cb0c70735a4b6d3f0ac769dc8172948c9a9ddd
                                                                                                                    • Opcode Fuzzy Hash: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                    • Instruction Fuzzy Hash: A9417F31300A52C3EBA89F62E5547AEA3A1FB95F94F44C221CE4A47A94DF3CC685C349
                                                                                                                    Function 000001845C510950 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$setsockopt$Ioctlgetprotobynameioctlsocket
                                                                                                                    • String ID: TCP$WSAIoctl SIO_KEEPALIVE_VALS 1 %lu %lu failed with error %d$ioctlsocket FIONBIO 1 failed with error %d$setsockopt SO_KEEPALIVE 1 failed with error %d
                                                                                                                    • API String ID: 689193069-3784515845
                                                                                                                    • Opcode ID: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                    • Instruction ID: 6d809c91e39f023ebf6ce9a52cce65c7296deccf03c5775e8562dc9700bc4213
                                                                                                                    • Opcode Fuzzy Hash: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                    • Instruction Fuzzy Hash: AA41A33260479A87E710CFA1E4447CDB7A4F398B94F948226DE8843754DF7DDA49CB84
                                                                                                                    Function 000001845C4F0E40 Relevance: 21.1, APIs: 14, Instructions: 87stringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen$ByteCharMultiVirtualWide$CreateDirectoryFreememset$Allocmemcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2091574596-0
                                                                                                                    • Opcode ID: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
                                                                                                                    • Instruction ID: ff2a2f3fec7bd8073ca490bb3b5af2cc68b85054965affe223272a6ee54c39d8
                                                                                                                    • Opcode Fuzzy Hash: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
                                                                                                                    • Instruction Fuzzy Hash: DB31F231304A9143E764CF66F9403EDA3A1EB9AFC5F448225DB4A83B95DF3CD6458708
                                                                                                                    Function 000001845C4E5070 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _time64randsrand
                                                                                                                    • String ID: !"#$$%&'$()*+$,-./$0123$4567$89:;$<=>?
                                                                                                                    • API String ID: 1363323005-2655883160
                                                                                                                    • Opcode ID: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                    • Instruction ID: e7bb334ec8f8dd59bd997d665c30ff9287afab48d4810f77c595541bf5deefc9
                                                                                                                    • Opcode Fuzzy Hash: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                    • Instruction Fuzzy Hash: 29114FB6B117A48FEB04CFA1A88409D7BB0F349B88B945629DA5A67B08CB34D241CF55
                                                                                                                    Function 000001845C502930 Relevance: 18.1, APIs: 12, Instructions: 114networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$Socketgetaddrinfo
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1420131935-0
                                                                                                                    • Opcode ID: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                    • Instruction ID: 34a5965bd840560312aa75ad6a39f3d29034b6f120860fd1fbf506b28fe4d1c5
                                                                                                                    • Opcode Fuzzy Hash: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                    • Instruction Fuzzy Hash: 1851AA72610B958BE720CFA1E4047DD77B4F758B98F408226EE4963B98CF39C659CB48
                                                                                                                    Function 000001845C4E4220 Relevance: 18.1, APIs: 12, Instructions: 93sleepsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1497552152-0
                                                                                                                    • Opcode ID: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                    • Instruction ID: 30d4f9ba48e0e04d64343985af919b576cc3f06bed5ca7a08c9fea9a20231a29
                                                                                                                    • Opcode Fuzzy Hash: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                    • Instruction Fuzzy Hash: 40415D31300A52C7EB588FA1E9407EC73A0FB9AF88F499621DF5A47755CF38C6558349
                                                                                                                    Function 000001845C4FEB30 Relevance: 18.1, APIs: 12, Instructions: 83memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$CompatibleMetricsObjectSectionSelectSystem$AllocDesktopEventVirtualWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 623393097-0
                                                                                                                    • Opcode ID: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
                                                                                                                    • Instruction ID: 9ec0aa94372e5666acb642bdd4242b29b18dae0fb38c2b26442917d1c64ca7da
                                                                                                                    • Opcode Fuzzy Hash: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
                                                                                                                    • Instruction Fuzzy Hash: 3F411336200B65E7D718CF65E64868EB3B0F349B80F40861ADB8943B10DF38E176CB84
                                                                                                                    Function 000001845C4FB990 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$AllocVirtualmemset$EnvironmentExpandStrings
                                                                                                                    • String ID: 18.166.104.207$C:\Program Files\Windows Mail
                                                                                                                    • API String ID: 791498746-2084219332
                                                                                                                    • Opcode ID: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                    • Instruction ID: 74fc471dae3d6dc65b53cfe62ee9ae27f82a002a617cbe515a34c5a375ad073d
                                                                                                                    • Opcode Fuzzy Hash: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                    • Instruction Fuzzy Hash: 6871A572A15B8683E711CB28D5417ED7B60F7AAB88F14D315CE4953722FF28A285C704
                                                                                                                    Function 000001845C4F5F60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 119fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5FAF
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F5FD9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6036
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6060
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F60A2
                                                                                                                    • CreateFileW.KERNEL32 ref: 000001845C4F60CE
                                                                                                                    • DeviceIoControl.KERNEL32 ref: 000001845C4F6115
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4F6123
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$CloseControlCreateDeviceFileHandleInitialize
                                                                                                                    • String ID: D"$\\.\TrueSight
                                                                                                                    • API String ID: 655973622-2684836731
                                                                                                                    • Opcode ID: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
                                                                                                                    • Instruction ID: db24b36c7235ecd245bc8b8b5bd7a0bf9b011b9328e1d36dfd6faa44b60d45db
                                                                                                                    • Opcode Fuzzy Hash: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
                                                                                                                    • Instruction Fuzzy Hash: C1517F32714B9187EB64DF62E55479EB3A1FB99B80F44C215DB8A03B94DF38D2548B04
                                                                                                                    Function 000001845C4F3920 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78stringthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Processlstrcmpi$CreateCurrentSessionThreadmemset
                                                                                                                    • String ID: HTTP$TCP$UDP
                                                                                                                    • API String ID: 1333632082-3864057669
                                                                                                                    • Opcode ID: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                    • Instruction ID: 50a599c4fc0382cdef9a70babf022e4a1813171d334cbf6fefcfa4f29feb3cfa
                                                                                                                    • Opcode Fuzzy Hash: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                    • Instruction Fuzzy Hash: 4231C472614B9693E724CF61E8507DEB3B1F798B44F80D226D94A83654EF3CC685C744
                                                                                                                    Function 000001845C4F3ED0 Relevance: 16.6, APIs: 11, Instructions: 118synchronizationthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F3F23
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F3F4D
                                                                                                                    • SetEvent.KERNEL32 ref: 000001845C4F3F7D
                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 000001845C4F3F8F
                                                                                                                    • TerminateThread.KERNEL32 ref: 000001845C4F3F9A
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4F3FA8
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F3FE0
                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 000001845C4F4011
                                                                                                                    • TerminateThread.KERNEL32 ref: 000001845C4F401C
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4F402A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4057
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$CloseHandleLeaveObjectSingleTerminateThreadWait$EventInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3987515053-0
                                                                                                                    • Opcode ID: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
                                                                                                                    • Instruction ID: ca93fae89915665d842f889c69bc192a4c065d4c82c2ad38e9731d2e6606e19b
                                                                                                                    • Opcode Fuzzy Hash: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
                                                                                                                    • Instruction Fuzzy Hash: 13414931306A0283FB58DF62E5547AEA3A1FB9AFC0F48D215CE4A07B59CF38D6518358
                                                                                                                    Function 000001845C500260 Relevance: 16.6, APIs: 11, Instructions: 101servicesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3731607402-0
                                                                                                                    • Opcode ID: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                    • Instruction ID: 7ef48e071a7823fc2dd2c2895498d5f754f6f85ea59f69e77aa34da865041dc5
                                                                                                                    • Opcode Fuzzy Hash: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                    • Instruction Fuzzy Hash: B041AE36300B5583EB68DF52A854B9EB3A5FB98F90F94C219CE9A43B14DF38C545C744
                                                                                                                    Function 000001845C4FCB60 Relevance: 16.6, APIs: 11, Instructions: 71stringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseHandleNextfreelstrcmpi$CreateFirstSnapshotToolhelp32malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2997854644-0
                                                                                                                    • Opcode ID: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
                                                                                                                    • Instruction ID: 9db34ad6e6b4e5e7408b8770385eb6d4f3c5a65b3f4beec7d8d521f84c67f2fe
                                                                                                                    • Opcode Fuzzy Hash: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
                                                                                                                    • Instruction Fuzzy Hash: 8621F131300A4683EB688F66E9543ADA3A1F799FC0F89C325DD468B754DF3CDA408388
                                                                                                                    Function 000001845C4FF590 Relevance: 16.6, APIs: 11, Instructions: 55threadstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2480204736-0
                                                                                                                    • Opcode ID: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                    • Instruction ID: 9c5ee9bb365f09d7e9d1001a9134c019b478b925d5d226d5b96fb8a0a86163eb
                                                                                                                    • Opcode Fuzzy Hash: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                    • Instruction Fuzzy Hash: 86213935214B9693EB289F51E8587CEA3A1F799F84F848626DA4A43B54DF3CC309C784
                                                                                                                    Function 000001845C4F8DC0 Relevance: 16.4, APIs: 13, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalFreeSectionVirtual$LeaveRead$Enter
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3895189749-0
                                                                                                                    • Opcode ID: 5b659170a3c5bc0ddeb54f8c31c300c9ac37a021183c1e4ae1f509fd982aa9e7
                                                                                                                    • Instruction ID: 85350888a5917fb9c70af8f152ee6b948ec715a433e70898b9c3038d39623a7b
                                                                                                                    • Opcode Fuzzy Hash: 5b659170a3c5bc0ddeb54f8c31c300c9ac37a021183c1e4ae1f509fd982aa9e7
                                                                                                                    • Instruction Fuzzy Hash: 67515F31301E4287FB588F62E4507AEA3A5FB9AF84F48C621DE4A4BB54DF3DD6458348
                                                                                                                    Function 000001845C51C5F0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 282COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: getaddrinfo
                                                                                                                    • String ID: DNS NXDOMAIN$GET$MQTT$POST$PUT$UDP$YZ[\X]^_RAW$client_connect2
                                                                                                                    • API String ID: 300660673-2214405465
                                                                                                                    • Opcode ID: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                    • Instruction ID: 3e1ff24fd811039b8da601524d6d417f3ce757254f74ce17da633687be2a1484
                                                                                                                    • Opcode Fuzzy Hash: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                    • Instruction Fuzzy Hash: CDC1D5322106EE97EB619FA194183FCB7A0F362F4CF889335DBC646685DF25A641C718
                                                                                                                    Function 000001845C504090 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: malloc$free$Timetime
                                                                                                                    • String ID: <$d$d
                                                                                                                    • API String ID: 3424428123-2034941416
                                                                                                                    • Opcode ID: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                    • Instruction ID: 21c789ed9db910fc780f7758afc7ed7f4a9892df7f0cd282373aea83643fa2cb
                                                                                                                    • Opcode Fuzzy Hash: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                    • Instruction Fuzzy Hash: 83714972202B95C7EB45CF61E58038D77A8F758B88F08C629CB882B764DF78C164DB54
                                                                                                                    Function 000001845C510FB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$sendto$_write
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4063025714-2766056989
                                                                                                                    • Opcode ID: c7bd1ad0bf1584a85a1a61cb4fc126e031526cfb8e27881f91a638e7d804c59f
                                                                                                                    • Instruction ID: ec987a514cefe73df7f0ede082e9ab4e454e0ab49ab130866f8f6029f52c6338
                                                                                                                    • Opcode Fuzzy Hash: c7bd1ad0bf1584a85a1a61cb4fc126e031526cfb8e27881f91a638e7d804c59f
                                                                                                                    • Instruction Fuzzy Hash: 0921E731A046E683F7148FA4E44C39FE764E754F88F548361DA9887AA4CF3ACB819348
                                                                                                                    Function 000001845C5045A0 Relevance: 15.1, APIs: 10, Instructions: 100memorytimethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3122330297-0
                                                                                                                    • Opcode ID: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                    • Instruction ID: 218727d5fe54140df3eaf73241a1a5794b388b0d1b5b19f86b01f85af616d780
                                                                                                                    • Opcode Fuzzy Hash: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                    • Instruction Fuzzy Hash: 0141AF32300A5587E7598FA2E44039DB3A0F768F88F54C22ACB4A83794EF39DA55CB44
                                                                                                                    Function 000001845BF49BE8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1326835672-0
                                                                                                                    • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction ID: 649731ae198dc1f129116bc9484d2e52d335e8c361f54c9094adad0cce7e989a
                                                                                                                    • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction Fuzzy Hash: 423141337012038BFB64EB68D4563ED2391AB55344F44C429AACACB6D7DF298745CF15
                                                                                                                    Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1326835672-0
                                                                                                                    • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                    • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                    • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                    Function 000001845C4EAFC0 Relevance: 15.1, APIs: 10, Instructions: 98memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual$CriticalInitializeSection$CreateEvent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 469433356-0
                                                                                                                    • Opcode ID: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
                                                                                                                    • Instruction ID: bd2f9ccb69790b6cc1e53a166607b61beb278af286b810f6bbaa32b0cf4f2736
                                                                                                                    • Opcode Fuzzy Hash: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
                                                                                                                    • Instruction Fuzzy Hash: 2D415E32211F56C3EB158F51F9406CD77B8F719B80F81862ADA4943BA4EF38D668C359
                                                                                                                    Function 000001845C5060B0 Relevance: 15.1, APIs: 10, Instructions: 94stringthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Windowlstrlen$Process32$ClassCloseCreateFirstHandleNameNextProcessSnapshotTextThreadToolhelp32Visible
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4082481662-0
                                                                                                                    • Opcode ID: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                    • Instruction ID: 739699d56513272a2a1374d1d533bba24978a7a0bb8e342e97149786cbd26c14
                                                                                                                    • Opcode Fuzzy Hash: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                    • Instruction Fuzzy Hash: FE413476310A959BDB349F26D9447ED2361F789B99F809111CA0A8BE58EF39C358CB00
                                                                                                                    Function 000001845C4E1E90 Relevance: 15.1, APIs: 10, Instructions: 91threadmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3571750651-0
                                                                                                                    • Opcode ID: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                    • Instruction ID: 009a87c8347c997fb02751a64ac19451764fc84d4b3b58f3e8c039372517d1b8
                                                                                                                    • Opcode Fuzzy Hash: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                    • Instruction Fuzzy Hash: FE416C32604B92C3DB24CF61E90079DB3A4F799B84F85C62ADE8907755EF38C695C748
                                                                                                                    Function 000001845C4FB8E0 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 40stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcmpi
                                                                                                                    • String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                                                                                                                    • API String ID: 1586166983-3507829934
                                                                                                                    • Opcode ID: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                    • Instruction ID: 3f42149666f47bb0da145e7a4754c7f3fd0beef24bda6f077dbad3abfd55e07e
                                                                                                                    • Opcode Fuzzy Hash: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                    • Instruction Fuzzy Hash: 7B011220300B1967EA049BB6AD99399B2519F58FF5F849325AD2A837F8DF68C244C348
                                                                                                                    Function 000001845BF49369 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                    • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                    • API String ID: 2273495996-2419032777
                                                                                                                    • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction ID: 9136cc2e46e2b1c2881ad59cf5e40b820321d34a5dd54a28c1c77466e197d6bf
                                                                                                                    • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction Fuzzy Hash: EE415B37302B0287FA14DB64E8117DD2361AB8AB90F44D925C98E877E4DF2DD645CB18
                                                                                                                    Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                    • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                    • API String ID: 2273495996-2419032777
                                                                                                                    • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                    • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                    • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                    Function 000001845C4F3A80 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70stringthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcmpi$CreateThreadmemset
                                                                                                                    • String ID: HTTP$TCP$UDP
                                                                                                                    • API String ID: 1278753810-3864057669
                                                                                                                    • Opcode ID: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
                                                                                                                    • Instruction ID: c474d4ceb27a87ecdecd1f6193620bcb41dde75bfe1726beba3fd062ff0c023f
                                                                                                                    • Opcode Fuzzy Hash: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
                                                                                                                    • Instruction Fuzzy Hash: A9312571608B5697EB10CF61E8903DEB7B1F799B84F80D226DA4A83665EF3CC284C704
                                                                                                                    Function 000001845C502180 Relevance: 13.8, APIs: 9, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1927566239-0
                                                                                                                    • Opcode ID: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                    • Instruction ID: cfef962aad1478f284c253564928919d0486e7ce92c05e60f903897ac17f242a
                                                                                                                    • Opcode Fuzzy Hash: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                    • Instruction Fuzzy Hash: B6C11536700A558BEB24CFB9D4846AC63B0F798F88F418616DE0E67B28DF38D649C744
                                                                                                                    Function 000001845C4E2000 Relevance: 13.6, APIs: 9, Instructions: 73memorysynchronizationthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4E2020
                                                                                                                    • ProcessIdToSessionId.KERNEL32 ref: 000001845C4E2030
                                                                                                                      • Part of subcall function 000001845C4F6CA0: VirtualAlloc.KERNEL32 ref: 000001845C4F6CBE
                                                                                                                      • Part of subcall function 000001845C4F6CA0: GetCurrentProcessId.KERNEL32 ref: 000001845C4F6D39
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E2096
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 000001845C4E20A8
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4E20CD
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 000001845C4E20DF
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4E2117
                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 000001845C4E212D
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4E2136
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1571644542-0
                                                                                                                    • Opcode ID: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                    • Instruction ID: 4df4d8f33240ec1b1b7cb588baf364732cf0a12ffc068a83b303e3cc2f0fcd38
                                                                                                                    • Opcode Fuzzy Hash: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                    • Instruction Fuzzy Hash: 03315D32214B92C3EB24CF61F8006DEB7A4F799F80F55821AEA8647B94DF38D644C794
                                                                                                                    Function 000001845C500180 Relevance: 13.6, APIs: 9, Instructions: 60serviceCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFreeLastOpenServiceVirtual$CloseHandleManager
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3563172158-0
                                                                                                                    • Opcode ID: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                    • Instruction ID: 0e2abc5761eda03967a58eb413654bce1e5e600fc441ab25313f7312285530e5
                                                                                                                    • Opcode Fuzzy Hash: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                    • Instruction Fuzzy Hash: F4217234700B6B83EB58EFA2A95439D9391AB9DFD0F0481259D0B83B55EE3CC6458748
                                                                                                                    Function 000001845C4F8630 Relevance: 12.6, APIs: 10, Instructions: 130memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F8683
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F86CF
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4F8711
                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 000001845C4F8729
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F8740
                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 000001845C4F8764
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F8789
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F87B3
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F87C9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F87F3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                    • Instruction ID: bc956895820e8cdc15aa1e2a88058796b379983124b8132f059bffd5b217af63
                                                                                                                    • Opcode Fuzzy Hash: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                    • Instruction Fuzzy Hash: D1518E32311A5183EB18DF62E9547AEA3A0FB8AF80F44C125CF4A47B54DF38E6558748
                                                                                                                    Function 000001845C529B40 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 183networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: send
                                                                                                                    • String ID: CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws$Proxy-authorization: basic %s$RAW$client_connect4$first service failed$proxy write failed
                                                                                                                    • API String ID: 2809346765-3983456341
                                                                                                                    • Opcode ID: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
                                                                                                                    • Instruction ID: 74518b624b0ec49d1f1b5eaa2f24e0aae8417b7eafb79fc4b3e1a59dcc865aaf
                                                                                                                    • Opcode Fuzzy Hash: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
                                                                                                                    • Instruction Fuzzy Hash: C081B1722106AA83EB548FA2D4547EDB3E4F764B88F84C236DE4957794DF38C641C788
                                                                                                                    Function 000001845C4FC760 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeMemory$EnumerateInformationQuerySessionSessionslstrlen
                                                                                                                    • String ID: system
                                                                                                                    • API String ID: 3618899143-3377271179
                                                                                                                    • Opcode ID: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                    • Instruction ID: f1451d5a3b79ab1c642746d8d911cbfcf37fd4f889546922965e675a635cbc28
                                                                                                                    • Opcode Fuzzy Hash: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                    • Instruction Fuzzy Hash: B04167B6B10A619BEB10CF65E8846DD37B4F348B98F405A16EF0A43B58DF34C694CB44
                                                                                                                    Function 000001845C4F22F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39stringfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcat$DeleteErrorFileLastmemset
                                                                                                                    • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                    • API String ID: 3002015462-229217837
                                                                                                                    • Opcode ID: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                    • Instruction ID: bfd22213e7e813b4eb6d1a94106f1a3266467c681bb58b5400363f3a04db7e2d
                                                                                                                    • Opcode Fuzzy Hash: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                    • Instruction Fuzzy Hash: 8A119132608B86C3D7208F65F44439EF3A0F7D9B84F508216E68942A68DF7CC248CB44
                                                                                                                    Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                    • String ID: svchost.exe
                                                                                                                    • API String ID: 2075570005-3106260013
                                                                                                                    • Opcode ID: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                    • Instruction ID: a7e4a02683164cc51efae999f71ec939c82b81573c8ef5df0e77f5c8c66af7f8
                                                                                                                    • Opcode Fuzzy Hash: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                    • Instruction Fuzzy Hash: 7E015231311A4D81FBAAEB21E8A93DA6360BB8D795F449125A99E46295DF3CC34CC740
                                                                                                                    Function 000001845C4F01A0 Relevance: 12.1, APIs: 8, Instructions: 109processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2924300727-0
                                                                                                                    • Opcode ID: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                    • Instruction ID: df9b6c6ae7bc7adae67e1b8baa30e10d9bae824d6b4eea8d8d5d19a8ef8addb3
                                                                                                                    • Opcode Fuzzy Hash: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                    • Instruction Fuzzy Hash: 88515A32B04B928BE750CFA1E48079D73B5F399788F409215AE8C67B18DF38C659C744
                                                                                                                    Function 000001845C504900 Relevance: 12.1, APIs: 8, Instructions: 108memorytimenetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocErrorFreeLastTimesendsockettime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 675528727-0
                                                                                                                    • Opcode ID: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                    • Instruction ID: 8bd8b166faa03308d004f32ce7480bc75e961102b2c0e3e418abec95e65868a9
                                                                                                                    • Opcode Fuzzy Hash: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                    • Instruction Fuzzy Hash: FA419332310A6543EB58CF66E90479EA7A1F7A9FC0F08C125DF4A93B94DF39C6518748
                                                                                                                    Function 000001845C4EDEC0 Relevance: 12.1, APIs: 8, Instructions: 92memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDF24
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDF4E
                                                                                                                    • CreateEventW.KERNEL32 ref: 000001845C4EDF64
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4EDF89
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4EDF9E
                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 000001845C4EDFB1
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4EDFC8
                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 000001845C4EDFEC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$CreateFree$EventInitializeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1715669518-0
                                                                                                                    • Opcode ID: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
                                                                                                                    • Instruction ID: e012d9e19184dfc97fca072228b6f15f9e3bd5ba62c438d8048b3efc9925037c
                                                                                                                    • Opcode Fuzzy Hash: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
                                                                                                                    • Instruction Fuzzy Hash: 4F316732300B5183EB18CF62E944B9EB3A5FB88F84F89C1269E4A43B54DF38C625C744
                                                                                                                    Function 000001845C503F80 Relevance: 12.1, APIs: 8, Instructions: 56synchronizationthreadnetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalReadSection$EnterErrorExitLastLeaveObjectSingleThreadWaitsend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 152332814-0
                                                                                                                    • Opcode ID: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
                                                                                                                    • Instruction ID: 215ba962076c0f09c678edfc98659a27f66b38365946d9656aedf69916a4184a
                                                                                                                    • Opcode Fuzzy Hash: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
                                                                                                                    • Instruction Fuzzy Hash: 53118632304A1683E7059FA2E8103AEE3A4FBB9F85F94D126DE0997794DF3DC9458348
                                                                                                                    Function 000001845C515740 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: closesocket
                                                                                                                    • String ID: __lws_close_free_wsi_final$client_reset$failed to get ah$free$lws_free
                                                                                                                    • API String ID: 2781271927-1207365477
                                                                                                                    • Opcode ID: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                    • Instruction ID: 9e0365639c940b4336dffc9862efdeba98b454923195927fbe4764bfb663bdd5
                                                                                                                    • Opcode Fuzzy Hash: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                    • Instruction Fuzzy Hash: 0B51C132300BA683EA49DBA1D2443EDE3A1F795BE4F948311ABB8077D1CF34D6618348
                                                                                                                    Function 000001845C4EE010 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __chkstk.NTDLL ref: 000001845C4EE01D
                                                                                                                    • memset.NTDLL ref: 000001845C4EE048
                                                                                                                    • memset.NTDLL ref: 000001845C4EE05A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EE09B
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EE0C5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EE197
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EE1C1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leavememset$Initialize__chkstk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2598321309-0
                                                                                                                    • Opcode ID: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                    • Instruction ID: ae09837805870a807dcab99305070d58126795035682a10905eaa0bc1a878618
                                                                                                                    • Opcode Fuzzy Hash: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                    • Instruction Fuzzy Hash: EF516E72318A9187EB34DF62E6446ADB361FBCAB80F858214DB8A43F44CF38D155CB09
                                                                                                                    Function 000001845C4E6DC0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 108stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual$lstrcat
                                                                                                                    • String ID: HTTP$TCP$UDP
                                                                                                                    • API String ID: 1793027038-3864057669
                                                                                                                    • Opcode ID: fb63e8a4699bb45600396c4e6aee975bb247977ebe0e889c0a84493701b80b76
                                                                                                                    • Instruction ID: bc33ac4ffd80350598a44109708e29d05622421dac7b34481fd40e6baeff6208
                                                                                                                    • Opcode Fuzzy Hash: fb63e8a4699bb45600396c4e6aee975bb247977ebe0e889c0a84493701b80b76
                                                                                                                    • Instruction Fuzzy Hash: D741AF32314B5583EB64CF26E5447AEA3A1FB89F80F409215DA8A83F54DF38D255CB04
                                                                                                                    Function 000001845C4ED6F0 Relevance: 10.6, APIs: 7, Instructions: 103memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4ED790
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4ED7BA
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4ED7E8
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4ED80C
                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 000001845C4ED81F
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4ED836
                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 000001845C4ED85A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1508740679-0
                                                                                                                    • Opcode ID: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                    • Instruction ID: b8aa0e9d4301da51990b98125e6ae0f56a4f644f0a2fc83d26d1dfa4eff6fb5d
                                                                                                                    • Opcode Fuzzy Hash: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                    • Instruction Fuzzy Hash: 97418E32210B81CBEB54CF22E94069EB7A4FB88F94F448125EF5A43B54DF38C565CB44
                                                                                                                    Function 000001845C4F3119 Relevance: 10.6, APIs: 7, Instructions: 102memorystringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Free$Alloc$InfoUserlstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2840552451-0
                                                                                                                    • Opcode ID: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                    • Instruction ID: 6fc57d462450a6fbbcb10b92037aef265d8ed9d64c8b1151508bca33e0d6f70f
                                                                                                                    • Opcode Fuzzy Hash: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                    • Instruction Fuzzy Hash: F8415E31715A5187EB74CF22E84479EA3A0F79AF84F449219CE8A43B54DF3CE2498B04
                                                                                                                    Function 000001845C500AF0 Relevance: 10.6, APIs: 7, Instructions: 82memoryfilestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$ByteCharFreeMultiWide$AllocFileWritelstrlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2835453980-0
                                                                                                                    • Opcode ID: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
                                                                                                                    • Instruction ID: 85663dcb2571f80e464df6aa7a1c5b93c21b1fdf1be8aa61e03d12da3617c74a
                                                                                                                    • Opcode Fuzzy Hash: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
                                                                                                                    • Instruction Fuzzy Hash: A0316F31308B5583EB58DF67A99465EB3A1FB99FC0F448125DE8A53F24DF38D1228748
                                                                                                                    Function 000001845C4ED5B0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtualmemcpymemset$FileOperation
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 467530429-0
                                                                                                                    • Opcode ID: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                    • Instruction ID: b9604e9747e6906363e870a84f82c7ccec0fd1850b2c5af743268e4633527b03
                                                                                                                    • Opcode Fuzzy Hash: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                    • Instruction Fuzzy Hash: E4317E32214B9587DB24CF12F48068EF3A4FB85B84F548615DB9D03B28DF38D216CB44
                                                                                                                    Function 000001845C502B20 Relevance: 10.6, APIs: 7, Instructions: 75networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 248740593-0
                                                                                                                    • Opcode ID: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                    • Instruction ID: c1c01372e2f8ecbf838a257cb68b6781e1a5b43bb6c7580a4f1f8788adb76725
                                                                                                                    • Opcode Fuzzy Hash: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                    • Instruction Fuzzy Hash: 5C315232608B9997E7608FA4F8407DEF760F794B54F508226EB8883B54DF78D698CB44
                                                                                                                    Function 000001845C4F7FA0 Relevance: 10.6, APIs: 7, Instructions: 71memoryfilepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1637252459-0
                                                                                                                    • Opcode ID: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                    • Instruction ID: e1c0d42a47bb69554df49266af5f241abd5def3180e5487f8351703e3561ef67
                                                                                                                    • Opcode Fuzzy Hash: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                    • Instruction Fuzzy Hash: 36215136304A5587E7208FA2F40069EF3A0F789BE5F488225DE4D47B54DF78D5958B18
                                                                                                                    Function 000001845C4E7E90 Relevance: 10.6, APIs: 7, Instructions: 69threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188162108-0
                                                                                                                    • Opcode ID: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                    • Instruction ID: 0f5d1f2f89b9f584f77750c9495a8e917ae2141c8517d25c65ce40fcda1e3b5c
                                                                                                                    • Opcode Fuzzy Hash: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                    • Instruction Fuzzy Hash: 12315C32218B55D7D7508F61F88068FB7B1F388B94F94821AEB8A43B28DF38D655CB44
                                                                                                                    Function 000001845C4F0360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66processthreadinjectionCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
                                                                                                                    • String ID: h
                                                                                                                    • API String ID: 1678065097-2439710439
                                                                                                                    • Opcode ID: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                    • Instruction ID: cac6ec860a7db5146aa0228ea8147076769b5d805b2b14c0f58591c977d2ad08
                                                                                                                    • Opcode Fuzzy Hash: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                    • Instruction Fuzzy Hash: DD314E33A18B9183E710CF91E4846AEB3A4F7D8B94F119226EA9803B15DFB9C5D4CB40
                                                                                                                    Function 000001845C4FD2A0 Relevance: 10.5, APIs: 7, Instructions: 44serviceCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2659350385-0
                                                                                                                    • Opcode ID: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                    • Instruction ID: d01c5cb676d90ac7528ae45bfc1e62a0ac84dcf60144b00d2a340e9cb5c63b2a
                                                                                                                    • Opcode Fuzzy Hash: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                    • Instruction Fuzzy Hash: 8A019E35714A0A83EF098FA6F9846AC92A1BB5CFD4F488135CE0A06711EE7CC6848B48
                                                                                                                    Function 000001845C503D80 Relevance: 10.5, APIs: 7, Instructions: 43threadnetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Read$CriticalEnterErrorExitLastSectionThreadsend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4016372045-0
                                                                                                                    • Opcode ID: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
                                                                                                                    • Instruction ID: c6a9d02a06c2d00e11b695d4eb797dd42b818c6ea7b72646f7cafb442fe3d628
                                                                                                                    • Opcode Fuzzy Hash: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
                                                                                                                    • Instruction Fuzzy Hash: DD015E32324A6587D7449F61F84029DA360FB98F84F889126EF4A83B55CF39C955C784
                                                                                                                    Function 000001845C4E26B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
                                                                                                                    • String ID: \svchost.exe -k netsvcs
                                                                                                                    • API String ID: 1196864501-2993138014
                                                                                                                    • Opcode ID: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                    • Instruction ID: 5a1661f5af0cd8f08ce4847ce64d4970d24f4051e674d702db7a77b7d312e281
                                                                                                                    • Opcode Fuzzy Hash: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                    • Instruction Fuzzy Hash: 6001803121095A83EB20DF61E8547DEA361F795B54F408311DAAD436E9DF3CC349C748
                                                                                                                    Function 000001845C4EF2E0 Relevance: 10.1, APIs: 8, Instructions: 133memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Alloc$CriticalFreeInitializeSection
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2852478515-0
                                                                                                                    • Opcode ID: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                    • Instruction ID: 4eb4edefc3cf701e8b4a8ca3e68f12cdb2ca65f78887cba2590c3f249fd1e1ff
                                                                                                                    • Opcode Fuzzy Hash: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                    • Instruction Fuzzy Hash: 4C61E536201F41D7EB158F21E5807DD33A8FB09B44F95862ACA9D07768EF38C668C399
                                                                                                                    Function 000001845C513210 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 192COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID: default$lws_free$lws_protocol_init_vhost$protocol %s failed init$raw
                                                                                                                    • API String ID: 2221118986-224536676
                                                                                                                    • Opcode ID: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                    • Instruction ID: c38578978c1842cea012f18f5b14a9c98bc2c95fc647e69e46e26f3d1a34e16d
                                                                                                                    • Opcode Fuzzy Hash: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                    • Instruction Fuzzy Hash: A9919D76600BEA83EB698F92D0187EDB7A0F7A6B88F549216CF9943744DF35D611C308
                                                                                                                    Function 000001845C5119D0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $%02X $%04X: $(hexdump: NULL ptr)$(hexdump: zero length)
                                                                                                                    • API String ID: 0-30795012
                                                                                                                    • Opcode ID: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
                                                                                                                    • Instruction ID: cc560314ea2d65ef51e7f0c3193e96714620f55bd6511de66e661a692a30a79d
                                                                                                                    • Opcode Fuzzy Hash: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
                                                                                                                    • Instruction Fuzzy Hash: A5518132208BAA83D7209B91F4443EEF7A4F7A5B88F548625DACE43B55DF38C6458748
                                                                                                                    Function 000001845C4E2910 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 143stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcmpi
                                                                                                                    • String ID: U:I:$V:R:$V:_:$^:V:$_:B:
                                                                                                                    • API String ID: 1586166983-194391922
                                                                                                                    • Opcode ID: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                    • Instruction ID: 712c738359a5a1c45be75745e36351c2ab1b3242ec0b4494c5a6f49898cc714e
                                                                                                                    • Opcode Fuzzy Hash: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                    • Instruction Fuzzy Hash: 05617933B04781CFF321CFB5C400AED3BB1E79A788F169619DE8466A49EE789655C344
                                                                                                                    Function 000001845C4FF2B0 Relevance: 9.1, APIs: 6, Instructions: 86memorystringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocFree$InfoUserlstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4244901044-0
                                                                                                                    • Opcode ID: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                    • Instruction ID: b1698ab126fe25a96d45fba1dba61ae8ad5e561dc90fbbf69a80cc2858243933
                                                                                                                    • Opcode Fuzzy Hash: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                    • Instruction Fuzzy Hash: ED31D375314B5543FB148F62E84479EA7A1EB49FC1F448128DD4A83B98DFBCD649CB04
                                                                                                                    Function 000001845C505670 Relevance: 9.1, APIs: 6, Instructions: 82synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSingleWaitmemcpy$Eventmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2578485326-0
                                                                                                                    • Opcode ID: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                    • Instruction ID: c58972ab8b292f92727caef8c42989309f27be054c6a5b1255d8991a9bb50d86
                                                                                                                    • Opcode Fuzzy Hash: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                    • Instruction Fuzzy Hash: A131D73170451AC3E620DFB6E9407DEA360E7A4BD4F948211EB99C7695DE78C681934C
                                                                                                                    Function 000001845C4FE790 Relevance: 9.1, APIs: 6, Instructions: 72memorywindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocBitmapBitsCompatibleCreateDeleteObjectReleaseVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1942853633-0
                                                                                                                    • Opcode ID: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                    • Instruction ID: 98c59d93091d9eed0e4a93d3a7b08bdcd17b313ef8cad185dfe52055d2f46f95
                                                                                                                    • Opcode Fuzzy Hash: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                    • Instruction Fuzzy Hash: 2C21DE72210B9587EB089F26B81425DBAA0FB89FD0F45862EDE4653B60CF38C1018B08
                                                                                                                    Function 000001845C4F7EB0 Relevance: 9.1, APIs: 6, Instructions: 56filesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCreateFileTick$ErrorLastSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2478964991-0
                                                                                                                    • Opcode ID: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                    • Instruction ID: dedbafb659897397ebc30922c3f665251df8f99f8427e5809956ecec19ba128d
                                                                                                                    • Opcode Fuzzy Hash: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                    • Instruction Fuzzy Hash: 0C216A31204B5187F3608F60E84475EB6A0F388BB8F544721EAA943BD8CF3CCA45CB48
                                                                                                                    Function 000001845C4E0320 Relevance: 8.9, APIs: 7, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1294909896-0
                                                                                                                    • Opcode ID: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                    • Instruction ID: 25daf245f3fa1e2d5d7b4d4a5885b0c66eb2161192c14660b557197cccba95b1
                                                                                                                    • Opcode Fuzzy Hash: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                    • Instruction Fuzzy Hash: AE513736202B59C3EB408F99E6807AC73A5F788F84F59C622CA5D03364DF74C6A2C315
                                                                                                                    Function 000001845C4ED990 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4ED9B9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDA86
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDAB0
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4EDAC5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDAF8
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDB22
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDB37
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                      • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E442D
                                                                                                                      • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E445F
                                                                                                                      • Part of subcall function 000001845C4E4410: InitializeCriticalSection.KERNEL32 ref: 000001845C4E4474
                                                                                                                      • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E4490
                                                                                                                      • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E44A3
                                                                                                                      • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E44BA
                                                                                                                      • Part of subcall function 000001845C4E4410: LeaveCriticalSection.KERNEL32 ref: 000001845C4E44E9
                                                                                                                      • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E44FE
                                                                                                                      • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E4511
                                                                                                                      • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E4528
                                                                                                                      • Part of subcall function 000001845C4E4410: LeaveCriticalSection.KERNEL32 ref: 000001845C4E4557
                                                                                                                      • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E456C
                                                                                                                      • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E457F
                                                                                                                      • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E4596
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterRead$Free$Leave$Initialize$CloseHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1803526796-0
                                                                                                                    • Opcode ID: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                    • Instruction ID: 42ef902c05b430c41ac76b11e393b06e52416f0e7058e47bc29f390ca43620bc
                                                                                                                    • Opcode Fuzzy Hash: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                    • Instruction Fuzzy Hash: C8513931301F5287EB64CF52F49469EB3A8FB59B80F048225CB9A43BA4DF38C250C349
                                                                                                                    Function 000001845C504A90 Relevance: 8.8, APIs: 7, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2978645861-0
                                                                                                                    • Opcode ID: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
                                                                                                                    • Instruction ID: 8a7ff6c76f249587da4f663bc0d76ec93547d6fc01d7cc797f87542622aefdb5
                                                                                                                    • Opcode Fuzzy Hash: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
                                                                                                                    • Instruction Fuzzy Hash: FD417E36310A66C3E7108F61E80039EB3A5FB94F94F888226DE5A97754DF78CA05C788
                                                                                                                    Function 000001845C4E5973 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4E5973
                                                                                                                      • Part of subcall function 000001845C4FCC60: CreateToolhelp32Snapshot.KERNEL32 ref: 000001845C4FCC76
                                                                                                                      • Part of subcall function 000001845C4FCC60: malloc.MSVCRT ref: 000001845C4FCC84
                                                                                                                      • Part of subcall function 000001845C4FCC60: Process32FirstW.KERNEL32 ref: 000001845C4FCCA2
                                                                                                                      • Part of subcall function 000001845C4FCC60: free.MSVCRT ref: 000001845C4FCCB7
                                                                                                                      • Part of subcall function 000001845C4FCC60: CloseHandle.KERNEL32(?,?,00000000,000001845C4F6D46), ref: 000001845C4FCCC5
                                                                                                                      • Part of subcall function 000001845C4FD140: OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000001845C4E264E), ref: 000001845C4FD165
                                                                                                                      • Part of subcall function 000001845C4FD140: EnumServicesStatusExW.ADVAPI32 ref: 000001845C4FD1B1
                                                                                                                      • Part of subcall function 000001845C4FD140: malloc.MSVCRT ref: 000001845C4FD1C6
                                                                                                                      • Part of subcall function 000001845C4FD140: memset.NTDLL ref: 000001845C4FD1DC
                                                                                                                      • Part of subcall function 000001845C4FD140: EnumServicesStatusExW.ADVAPI32 ref: 000001845C4FD21B
                                                                                                                      • Part of subcall function 000001845C4FD140: CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000001845C4E264E), ref: 000001845C4FD228
                                                                                                                      • Part of subcall function 000001845C4FD140: free.MSVCRT ref: 000001845C4FD231
                                                                                                                    • ExitProcess.KERNEL32 ref: 000001845C4E5998
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseEnumFreeHandleProcessServicesStatusVirtualfreemalloc$CreateCurrentExitFirstManagerOpenProcess32ServiceSnapshotToolhelp32memset
                                                                                                                    • String ID: Schedule
                                                                                                                    • API String ID: 2593299425-2739827629
                                                                                                                    • Opcode ID: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                    • Instruction ID: 0ff8d722de702730b161c23f923254f9ebac40ddd2a296ef60eb3ee39c2f398e
                                                                                                                    • Opcode Fuzzy Hash: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                    • Instruction Fuzzy Hash: FA01D631300B5283FB78AFB1E9907EDA260AB91B80F40C216CA8A027D1DE3CC285430D
                                                                                                                    Function 000001845C4E0720 Relevance: 7.7, APIs: 6, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3510742995-0
                                                                                                                    • Opcode ID: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                    • Instruction ID: dd593b2d9bfcac789202ae1b7e77c19b74a92308c3d2d29a30747c8b6bc5dc69
                                                                                                                    • Opcode Fuzzy Hash: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                    • Instruction Fuzzy Hash: 7561CD32200B81CBEB20CF26E544BAC77A4FB89B94F5A8625CE6D47B94EF34C640D745
                                                                                                                    Function 000001845C4F42A0 Relevance: 7.6, APIs: 6, Instructions: 126memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F42F3
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F431D
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F4334
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 000001845C4F43BE
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F4443
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F446D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2124124174-0
                                                                                                                    • Opcode ID: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                    • Instruction ID: a8e427942c35cec85f2793ef9c5189df9fe1f9dee50e364628768ae85526dbf1
                                                                                                                    • Opcode Fuzzy Hash: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                    • Instruction Fuzzy Hash: 7C513B32311F5187EB64DF52E448A9DB3A8FB99B84F458225DE8E43B14EF38D254C744
                                                                                                                    Function 000001845C4FEF20 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                      • Part of subcall function 000001845C4FC760: WTSEnumerateSessionsW.WTSAPI32 ref: 000001845C4FC79F
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FEFC4
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FEFEE
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FF026
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FF050
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$EnumerateInitializeSessions
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 3635408051-3454712805
                                                                                                                    • Opcode ID: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
                                                                                                                    • Instruction ID: fe2a1b11a244d2460e220219cc061c55bcb0dccc338f4f97a8c8c9840a149f08
                                                                                                                    • Opcode Fuzzy Hash: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
                                                                                                                    • Instruction Fuzzy Hash: 98316A32715B4187EB64DF23E594A6EB3A5FB89F80B048125DF8A43F24CF39D1668B44
                                                                                                                    Function 000001845C526140 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 84stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: strchr
                                                                                                                    • String ID: http://$http_proxy needs to be ads:port$lws_set_proxy$proxy auth too long
                                                                                                                    • API String ID: 2830005266-175238664
                                                                                                                    • Opcode ID: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                    • Instruction ID: 9f2d23f7384d2047ac6b813f2f486d51783b7fad88cd278b84496e990a2613f4
                                                                                                                    • Opcode Fuzzy Hash: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                    • Instruction Fuzzy Hash: 3C31A5313047A687EA54DBA1E5503DEE390A765B84F848321DE8D0778AEF28C71AC348
                                                                                                                    Function 000001845C4E573B Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E57CB
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E57F5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                      • Part of subcall function 000001845C4FBC20: memcpy.NTDLL ref: 000001845C4FBC45
                                                                                                                      • Part of subcall function 000001845C4FBC20: memset.NTDLL ref: 000001845C4FBCDA
                                                                                                                      • Part of subcall function 000001845C4FBC20: wsprintfW.USER32 ref: 000001845C4FBCF9
                                                                                                                      • Part of subcall function 000001845C4FBC20: SetFileAttributesW.KERNEL32 ref: 000001845C4FBD09
                                                                                                                      • Part of subcall function 000001845C4FBC20: DeleteFileW.KERNEL32 ref: 000001845C4FBD14
                                                                                                                      • Part of subcall function 000001845C4FBC20: CreateFileW.KERNEL32 ref: 000001845C4FBD44
                                                                                                                      • Part of subcall function 000001845C4FBC20: GetLastError.KERNEL32 ref: 000001845C4FBD53
                                                                                                                      • Part of subcall function 000001845C4FBC20: SetFileAttributesW.KERNEL32 ref: 000001845C4FBDA0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$FileFree$EnterRead$AttributesLeave$CreateDeleteErrorInitializeLastmemcpymemsetwsprintf
                                                                                                                    • String ID: 18.166.104.207
                                                                                                                    • API String ID: 3047218378-686852156
                                                                                                                    • Opcode ID: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                    • Instruction ID: a391221028da52a931ab5245a941d8779cb48e5165278a6034237c40aa5b18d1
                                                                                                                    • Opcode Fuzzy Hash: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                    • Instruction Fuzzy Hash: A3318432715A5183EB64DF63E454BAEA3A5FB9AF80F42C215DE8A03B54DE38C2858704
                                                                                                                    Function 000001845C4E3180 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$AllocVirtualceil
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 311976409-0
                                                                                                                    • Opcode ID: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                    • Instruction ID: e910bb324fda9891ad99681a985b866267f775c39579cf1d786137f05ab0db0b
                                                                                                                    • Opcode Fuzzy Hash: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                    • Instruction Fuzzy Hash: 2831D631705A51C7EB498F56E64066CB3A0F795FC0F10C629EB59A3B44DF34E5718709
                                                                                                                    Function 000001845C4E5668 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5706
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5730
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                    • String ID: 18.166.104.207
                                                                                                                    • API String ID: 696443088-686852156
                                                                                                                    • Opcode ID: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                    • Instruction ID: 95cc61d044d32f3f46f1d9e5549131e888fe6ea168b391ad97ffcfcc51993111
                                                                                                                    • Opcode Fuzzy Hash: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                    • Instruction Fuzzy Hash: 1E317C36701B4183EB64DF52E558BAEA3A5FB96B80F41C205DE8603B54CF39C2848B44
                                                                                                                    Function 000001845C4ED880 Relevance: 7.6, APIs: 5, Instructions: 76memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4ED907
                                                                                                                    • IsBadReadPtr.KERNEL32 ref: 000001845C4ED928
                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 000001845C4ED93B
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4ED952
                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 000001845C4ED976
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$AllocVirtual$EnterRead$Leave$CreateInitializeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 986707815-0
                                                                                                                    • Opcode ID: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                    • Instruction ID: 1e259b2579f232f141b4b700cbbbef7d9d55310bfd01888a2678eaa85867c06a
                                                                                                                    • Opcode Fuzzy Hash: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                    • Instruction Fuzzy Hash: DB317F72310B5187EB189F62E80429DB7A4FB89FD4F888125DE4A47B64DF3CC655C744
                                                                                                                    Function 000001845C51E5B0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID: %s: OOM$%s: buflist reached sanity limit$%s: corrupt list points to self$lws_buflist_append_segment
                                                                                                                    • API String ID: 3510742995-575834517
                                                                                                                    • Opcode ID: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                    • Instruction ID: 70a9c44aeef26442ac3f00a86d612a359dd84753bd49a845a7f4d8fcda04f558
                                                                                                                    • Opcode Fuzzy Hash: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                    • Instruction Fuzzy Hash: 0821B435204B6983EB108F95E5443DDB3A1F728B98F84C326EA8D073A5DF78CA45C344
                                                                                                                    Function 000001845C4EDB60 Relevance: 7.6, APIs: 5, Instructions: 57stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • malloc.MSVCRT ref: 000001845C4EDB85
                                                                                                                    • lstrcatW.KERNEL32 ref: 000001845C4EDBAC
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                      • Part of subcall function 000001845C4EC850: memset.NTDLL ref: 000001845C4EC895
                                                                                                                      • Part of subcall function 000001845C4EC850: lstrcatW.KERNEL32 ref: 000001845C4EC8A4
                                                                                                                      • Part of subcall function 000001845C4EC850: lstrcatW.KERNEL32 ref: 000001845C4EC8B8
                                                                                                                      • Part of subcall function 000001845C4EC850: memset.NTDLL ref: 000001845C4EC8CB
                                                                                                                      • Part of subcall function 000001845C4EC850: FindFirstFileW.KERNEL32 ref: 000001845C4EC8DC
                                                                                                                      • Part of subcall function 000001845C4EC850: FindNextFileW.KERNEL32 ref: 000001845C4EC935
                                                                                                                      • Part of subcall function 000001845C4EC850: FindNextFileW.KERNEL32 ref: 000001845C4EC999
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDBF3
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EDC1D
                                                                                                                    • free.MSVCRT ref: 000001845C4EDC26
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterFileFindReadlstrcat$FreeLeaveNextmemset$FirstInitializefreemalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2817660952-0
                                                                                                                    • Opcode ID: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
                                                                                                                    • Instruction ID: b48555a1e507ca90de4ff69cd7640c4b4d7d15249ca8b55e30fdcf33e6bd1bbb
                                                                                                                    • Opcode Fuzzy Hash: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
                                                                                                                    • Instruction Fuzzy Hash: 4721C031311A9187EB58DF53E85469EA364F789FC0F89C125DE8A47B18CE3CC2458784
                                                                                                                    Function 000001845BF5ADA8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _set_statfp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1156100317-0
                                                                                                                    • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction ID: 7b68062c370480586a6b508ff13b72486563f8fde28c0239a908538b01f45b2f
                                                                                                                    • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction Fuzzy Hash: 8B11A333A54E0313F7641125E8513ED10C06B59374F18C62DAAF6866DACF388AE24F28
                                                                                                                    Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _set_statfp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1156100317-0
                                                                                                                    • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                    • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                    • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                    Function 000001845C4F3810 Relevance: 7.5, APIs: 5, Instructions: 28synchronizationthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseCreateCurrentHandleObjectSingleTerminateThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 603326088-0
                                                                                                                    • Opcode ID: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                    • Instruction ID: e8a733c98860d828c4e881522a557ab8aec600fba57fa482a208463610fd1cd6
                                                                                                                    • Opcode Fuzzy Hash: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                    • Instruction Fuzzy Hash: 40F0827271160683EB18CFB2AC043AE63E1BB9DF58F48C6258C1987350EF3CC2418368
                                                                                                                    Function 000001845C5127A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_unlink
                                                                                                                    • String ID: lws_free
                                                                                                                    • API String ID: 1884818752-2419506585
                                                                                                                    • Opcode ID: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                    • Instruction ID: 961f78dc67d522834d6e4e051e95b36232c01d273b4c17b1e012325992ba1541
                                                                                                                    • Opcode Fuzzy Hash: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                    • Instruction Fuzzy Hash: 0F815F32201B9A97EB558F65D8583EDA3A0F794F88F988636DE8D17394DF38C641C318
                                                                                                                    Function 000001845BF4EA60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: *$ko-KR
                                                                                                                    • API String ID: 3215553584-1095117856
                                                                                                                    • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction ID: f16193010dff068c7ed84621fe4ca362c5b18af2dab87b3d1b5dacbfb3e3261e
                                                                                                                    • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction Fuzzy Hash: 47718E7350465287E76CDF288144ABE3BA0F309B58F249226DBC6C2299DF71CA82DF55
                                                                                                                    Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: *$ko-KR
                                                                                                                    • API String ID: 3215553584-1095117856
                                                                                                                    • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                    • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                    • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                    Function 000001845C516000 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _time64memset
                                                                                                                    • String ID: %s: calling service$__lws_header_table_reset
                                                                                                                    • API String ID: 899224009-1639372703
                                                                                                                    • Opcode ID: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                    • Instruction ID: 93a65627a9c360136896e09135f0ea258f8ed4bf1bb53ee7a0b0ea1bd9c3b330
                                                                                                                    • Opcode Fuzzy Hash: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                    • Instruction Fuzzy Hash: 8931CD32A00BC583E745CF21D5803ECA764F7A9F48F589236AF980B29ADF34D2A1C314
                                                                                                                    Function 000001845C4E2EA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocErrorInitLastStringVariant
                                                                                                                    • String ID: \Microsoft\Windows
                                                                                                                    • API String ID: 3210815728-1732172413
                                                                                                                    • Opcode ID: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
                                                                                                                    • Instruction ID: af6746e59624137da2ee34cee92c03131493390368ff673fb739a5d9955add89
                                                                                                                    • Opcode Fuzzy Hash: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
                                                                                                                    • Instruction Fuzzy Hash: 70212C22A18FC983D7218F65F4043EEA371FBE9B94F449312EA8952619EF39C185CB00
                                                                                                                    Function 000001845C4F5EB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeVirtual$Message
                                                                                                                    • String ID: boom...
                                                                                                                    • API String ID: 3815264287-1338744694
                                                                                                                    • Opcode ID: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
                                                                                                                    • Instruction ID: 2d1b95ced4d00adeb8fb56d451ecaee6b362fc4598eabfc0c3ae258d53673476
                                                                                                                    • Opcode Fuzzy Hash: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
                                                                                                                    • Instruction Fuzzy Hash: 0211AD32714B4083FB649F62E8543AEA3A1FBADF48F44D215DA8A06658EF3DC2C4C744
                                                                                                                    Function 000001845C507F50 Relevance: 6.5, APIs: 5, Instructions: 299COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50808C
                                                                                                                    • memcpy.NTDLL ref: 000001845C508111
                                                                                                                    • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50814D
                                                                                                                    • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C508189
                                                                                                                    • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50823D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3510742995-0
                                                                                                                    • Opcode ID: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
                                                                                                                    • Instruction ID: 6e2f8722be242c9693fde34e80ae3bcb337e74a725c9c68e32019f628c3beee6
                                                                                                                    • Opcode Fuzzy Hash: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
                                                                                                                    • Instruction Fuzzy Hash: CAD16C32704A699BDB18DF69C680BEDB7A1F798B84F108219CB1A93751DF30E971CB44
                                                                                                                    Function 000001845C50CEC0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 315COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ctx destroy$free$lws_free
                                                                                                                    • API String ID: 0-48050916
                                                                                                                    • Opcode ID: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
                                                                                                                    • Instruction ID: 6c38439df13aa206ad39362956e5cd5a9ab1febe43f32c77d95b2d5721cd5529
                                                                                                                    • Opcode Fuzzy Hash: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
                                                                                                                    • Instruction Fuzzy Hash: 27D1223A3007AA83EA5C9FA185543EDE7A0F765B88F44C225CF5993386DF38D652C748
                                                                                                                    Function 000001845BF46F98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: __swift_1$__swift_2
                                                                                                                    • API String ID: 0-2914474356
                                                                                                                    • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction ID: eedcba72b94e8455cf12a778523fd45130f16c321118e2a38ffc4f48c2386725
                                                                                                                    • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction Fuzzy Hash: 0C617833300B4283EE14DF29E94479DB3A1FB85B94F4885259FA987B99DF38D681CB40
                                                                                                                    Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: __swift_1$__swift_2
                                                                                                                    • API String ID: 0-2914474356
                                                                                                                    • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                    • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                    • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                    Function 000001845C511FB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID: !$lws_cache_lookup$lws_free
                                                                                                                    • API String ID: 3510742995-3172022147
                                                                                                                    • Opcode ID: f6a4beab21490da4376ac647ec29e6270de45d8bce8204ebcfae65f260a6c429
                                                                                                                    • Instruction ID: 91318b7b71aa4a688516013d760661b85bcb87857b3d84932738a170c2c00ea3
                                                                                                                    • Opcode Fuzzy Hash: f6a4beab21490da4376ac647ec29e6270de45d8bce8204ebcfae65f260a6c429
                                                                                                                    • Instruction Fuzzy Hash: 69719236205B9987DA25DF92E9443EDE3A0F7A8B88F488221DE8D47B58DF38C551C744
                                                                                                                    Function 000001845C513620 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: strcmp
                                                                                                                    • String ID: can't find role '%s'$lws_role_call_adoption_bind$raw-proxy
                                                                                                                    • API String ID: 1004003707-2670016624
                                                                                                                    • Opcode ID: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                    • Instruction ID: 0f945b01ece560328a24b3b4b5a49d9e4e8817e9ef57b1e712867a8629ebc3cd
                                                                                                                    • Opcode Fuzzy Hash: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                    • Instruction Fuzzy Hash: 2561F3327007AA43EB158F9694647EDBBA0B761F88F48D618DF89573A5DE38C702D308
                                                                                                                    Function 000001845C4FDE70 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • WaitForMultipleObjects.KERNEL32 ref: 000001845C4FDEC1
                                                                                                                    • WaitForMultipleObjects.KERNEL32 ref: 000001845C4FDF8D
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FDFCC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FDFF6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveMultipleObjectsWait$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1197094596-0
                                                                                                                    • Opcode ID: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
                                                                                                                    • Instruction ID: 46d03c28b81d713b62dc0ee3c19c2ea336c73226b8fd242c926eefdebbd266bb
                                                                                                                    • Opcode Fuzzy Hash: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
                                                                                                                    • Instruction Fuzzy Hash: 3A419372714B8183E764CF22E444B9EB3A1FB8AF84F449225DE4A43B58DF39D585CB44
                                                                                                                    Function 000001845C4FF080 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4FF0A4
                                                                                                                    • ProcessIdToSessionId.KERNEL32 ref: 000001845C4FF0B1
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FF164
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FF18E
                                                                                                                      • Part of subcall function 000001845C4E6F60: GetCurrentProcessId.KERNEL32 ref: 000001845C4E6FDB
                                                                                                                      • Part of subcall function 000001845C4E6F60: ProcessIdToSessionId.KERNEL32 ref: 000001845C4E6FEB
                                                                                                                      • Part of subcall function 000001845C4E6F60: CreateToolhelp32Snapshot.KERNEL32 ref: 000001845C4E7014
                                                                                                                      • Part of subcall function 000001845C4E6F60: GetProcessHeap.KERNEL32 ref: 000001845C4E7023
                                                                                                                      • Part of subcall function 000001845C4E6F60: HeapAlloc.KERNEL32 ref: 000001845C4E7036
                                                                                                                      • Part of subcall function 000001845C4E6F60: CloseHandle.KERNEL32 ref: 000001845C4E7047
                                                                                                                      • Part of subcall function 000001845C4E6F60: WTSGetActiveConsoleSessionId.KERNEL32 ref: 000001845C4E7056
                                                                                                                      • Part of subcall function 000001845C4E6F60: VirtualFree.KERNEL32 ref: 000001845C4E71B6
                                                                                                                      • Part of subcall function 000001845C4E6F60: VirtualFree.KERNEL32 ref: 000001845C4E71E0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1320018004-0
                                                                                                                    • Opcode ID: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                    • Instruction ID: 7420d9b516cc9deb25acfb55635c1f6d44fa2edc544d09a0e64d928ddb7144fa
                                                                                                                    • Opcode Fuzzy Hash: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                    • Instruction Fuzzy Hash: 81318076320B9183FB64DF22E95069D73A0FB89F84F449225EE4A43B58DF38D944CB44
                                                                                                                    Function 000001845C4FDA00 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • SetEvent.KERNEL32 ref: 000001845C4FDB49
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4FDB58
                                                                                                                    • ResetEvent.KERNEL32 ref: 000001845C4FDB66
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FDB85
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSectionVirtual$Alloc$EnterRead$EventLeave$CloseFreeHandleInitializeReset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4208512464-0
                                                                                                                    • Opcode ID: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                    • Instruction ID: 6705fd6d2a8541dd6c27418da88626eb42734a23867f9b9124a49dacb94b8bd2
                                                                                                                    • Opcode Fuzzy Hash: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                    • Instruction Fuzzy Hash: 78318F36314B4183EB58CF62E89466DA7A1FB89F80F098225DF4A43B59CF38D151C708
                                                                                                                    Function 000001845C4F35C0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 000001845C4F35DD
                                                                                                                    • ProcessIdToSessionId.KERNEL32 ref: 000001845C4F35EA
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F367E
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F36A8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveProcess$CurrentInitializeSession
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3327369976-0
                                                                                                                    • Opcode ID: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                    • Instruction ID: 7196dadce2c0905dc7dad1aea6b02bc194bb81c3b001215d31666647237d63d3
                                                                                                                    • Opcode Fuzzy Hash: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                    • Instruction Fuzzy Hash: CC316932714B5587EB24DF66E44465EB3A0FB88F80F54822AEB8A43B18DF3DD645CB44
                                                                                                                    Function 000001845C4E2FC0 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocFreeceilmemcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 941304502-0
                                                                                                                    • Opcode ID: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                    • Instruction ID: 03d8d04eefa4f88c2af919b14a714cbbbcc34e481a278beb3efaa3deaa601ccb
                                                                                                                    • Opcode Fuzzy Hash: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                    • Instruction Fuzzy Hash: 1D212832714A50CBDB55DF3AF45069DA361EBC9F84F19D221EA0A9374DCE38C9818B48
                                                                                                                    Function 000001845C4FA710 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4FA782
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4FA790
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FA7AC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FA7D6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4031785131-0
                                                                                                                    • Opcode ID: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                    • Instruction ID: d141c33c1d52ef5d229e11d6843b61b1bf05e92c2042a35a69b650b747ac969b
                                                                                                                    • Opcode Fuzzy Hash: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                    • Instruction Fuzzy Hash: 90213A76704A5183EB28DF63E45465EA3A1FB8EFD0F448129DF8A43B18DF38D2558744
                                                                                                                    Function 000001845C4F6140 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F6188
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F61B2
                                                                                                                    • CreateThread.KERNEL32 ref: 000001845C4F61CF
                                                                                                                    • CloseHandle.KERNEL32 ref: 000001845C4F61DD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4031785131-0
                                                                                                                    • Opcode ID: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                    • Instruction ID: 510e9499f5cc28d9af2dbd49f79e28911d199451cf4eadb52fad4193c3bd6a31
                                                                                                                    • Opcode Fuzzy Hash: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                    • Instruction Fuzzy Hash: 30118F32715B5283EB18CFA3E64469EA3A1FB89FC0F48C225CB4A43B54DF38D2618744
                                                                                                                    Function 000001845C505340 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Event$ObjectSingleWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2127046782-0
                                                                                                                    • Opcode ID: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                    • Instruction ID: d171baca4dfdd28b7a0fb397c1e9a91fbc1745542710ced2c475a9aeb32a851d
                                                                                                                    • Opcode Fuzzy Hash: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                    • Instruction Fuzzy Hash: 7E01887171455DC3DBA58F66F98469DA3E0F7E8FD0F888215CA0987758DD34C9888708
                                                                                                                    Function 000001845C4F2FB0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$CountInfoOpenProcessTick
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1051838312-0
                                                                                                                    • Opcode ID: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
                                                                                                                    • Instruction ID: c08fd90f93898ae8ac595b90b36deeb78f2546420467600c66ceae41a3f07c27
                                                                                                                    • Opcode Fuzzy Hash: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
                                                                                                                    • Instruction Fuzzy Hash: D4F0A472610A4A83E7049F71E8042ADB3A1FBA5B4DF448326C64A06755EF38C6D4CB88
                                                                                                                    Function 000001845C505890 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CancelEventReadclosesocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2025173275-0
                                                                                                                    • Opcode ID: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
                                                                                                                    • Instruction ID: 8d567ca45d25d2b1ea219e2a50e27d28cf906cb61552ee675156b98d18c401e1
                                                                                                                    • Opcode Fuzzy Hash: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
                                                                                                                    • Instruction Fuzzy Hash: 73E0E531301E1AC3EB195FF1D8543ACA390AF64F75FA887158D35962D4DE3885858359
                                                                                                                    Function 000001845BF41C08 Relevance: 5.4, Strings: 4, Instructions: 387COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$h-l1-2-0.dll
                                                                                                                    • API String ID: 0-1747795296
                                                                                                                    • Opcode ID: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                    • Instruction ID: a2a64c9656dbf3ac80e007cf1625033fad391ae153a40853377359a67ab715bb
                                                                                                                    • Opcode Fuzzy Hash: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                    • Instruction Fuzzy Hash: 0DE15B73301B4693EF14EB2DD54029C27A0F745FA0F848129DA9D977A2DF38CAA5CB80
                                                                                                                    Function 000001845BF533E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfff$o-l1-2-1
                                                                                                                    • API String ID: 3215553584-1082851355
                                                                                                                    • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction ID: 35f44d6248e26576cf52ff3a087703af49e5567ca7485271ac6f2982216cf897
                                                                                                                    • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction Fuzzy Hash: CC5115737147C687E7258F29A94139DAB91E381B90F48E225D7D987AD6CF38D644CB00
                                                                                                                    Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: gfff$o-l1-2-1
                                                                                                                    • API String ID: 3215553584-1082851355
                                                                                                                    • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                    • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                    • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                    Function 000001845BF53830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                    • API String ID: 3215553584-688204690
                                                                                                                    • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction ID: fcc4e98753c76f204dac5035a5fdf26dc6fcf29de7bff09a069ead2da3181eff
                                                                                                                    • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction Fuzzy Hash: CD416873A01B459BE700CF25E8417DD33E5E719388F40C626AA9987B98DF39C625CB84
                                                                                                                    Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                    • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                    • API String ID: 3215553584-688204690
                                                                                                                    • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                    • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                    • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                    Function 000001845BF4CA46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                    • String ID: csm
                                                                                                                    • API String ID: 3780691363-1018135373
                                                                                                                    • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction ID: 68cf5074ba69b881289d54ed96a6c5298438dc51312a792323b2b4b7cd58f0c1
                                                                                                                    • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction Fuzzy Hash: BB21283760464287E631DF16E05039EB760F388BA9F408211DED983BA5DF39DA86CF11
                                                                                                                    Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                    • String ID: csm
                                                                                                                    • API String ID: 3780691363-1018135373
                                                                                                                    • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                    • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                    • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                    Function 000001845C4EA9A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Windowlstrlen$memset$Process$ByteCharDataForegroundInputLocalMultiProcSessionTextThreadTimeWide__chkstkwsprintf
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 780575994-4108050209
                                                                                                                    • Opcode ID: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                    • Instruction ID: 9f6b42212236260f1e306e0f24ef2dbb705a372d8fadfbebe11887c0835667bb
                                                                                                                    • Opcode Fuzzy Hash: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                    • Instruction Fuzzy Hash: BB01AD316142A6C3F6108F61E6087EEAAA0F7A1B94F548321EE8003AD9CF38C640CB85
                                                                                                                    Function 000001845C5265E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastgetpeername
                                                                                                                    • String ID: getpeername: %s
                                                                                                                    • API String ID: 2962421750-464625284
                                                                                                                    • Opcode ID: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                    • Instruction ID: 2d06ae00203c363c823229778ff2be1d2049b43bf04b8a2e9c475cf677ba846f
                                                                                                                    • Opcode Fuzzy Hash: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                    • Instruction Fuzzy Hash: 00F06D7930479A83DA009F96F5052DEE360E799FC8F848222EF494775ACF38C3448B44
                                                                                                                    Function 000001845C510900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastioctlsocket
                                                                                                                    • String ID: ioctlsocket FIONBIO 1 failed with error %d
                                                                                                                    • API String ID: 1021210092-1910823214
                                                                                                                    • Opcode ID: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
                                                                                                                    • Instruction ID: 0284b7606a0f120ee5af997e74ffc61a249174d11c3b4bb6682bdb46a0c33d4e
                                                                                                                    • Opcode Fuzzy Hash: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
                                                                                                                    • Instruction Fuzzy Hash: 63E0267171061B83F7000FF098843CE96509768769F80D1259C42462A0DE3CDACDC764
                                                                                                                    Function 000001845BF49D72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __std_exception_copy
                                                                                                                    • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                    • API String ID: 592178966-1611991873
                                                                                                                    • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction ID: 3043ecb2c8399d8b9c14b74e94f74efd8f5ba6a037f6f9b56c79e4a541fbf60e
                                                                                                                    • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction Fuzzy Hash: 59E04F73200B0092DF158F55F8501EC73A4EB4CB50B48D0229A9C87355EF38C6E9C704
                                                                                                                    Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __std_exception_copy
                                                                                                                    • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                    • API String ID: 592178966-1611991873
                                                                                                                    • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                    • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                    • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                    Function 000001845BF49E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                    • String ID: File
                                                                                                                    • API String ID: 932687459-749574446
                                                                                                                    • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction ID: 4ee1287ad15bde44113e449cd526210951ad5c3771337bd71063dc856ee1dd59
                                                                                                                    • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction Fuzzy Hash: 8EC04C7321458797DA20EB15D8921DD6331B7A8344F908551A2DD829B7DF19C719CF00
                                                                                                                    Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2931759513.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2931672186.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932130632.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932229146.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2932312205.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                    • String ID: File
                                                                                                                    • API String ID: 932687459-749574446
                                                                                                                    • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                    • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                    • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00
                                                                                                                    Function 000001845C4EC6E0 Relevance: 5.1, APIs: 4, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC7B5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC7DF
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC7F5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC81F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3420869360-0
                                                                                                                    • Opcode ID: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                    • Instruction ID: 1949ad6ce855557eb9f2fdda37de7fbcb8374af68fccec7940809157b0e3c1ee
                                                                                                                    • Opcode Fuzzy Hash: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                    • Instruction Fuzzy Hash: F7416632715B4187EB68CF63E458A5EB7A5FB89F80F058629DF8A03B18DF39C5458B04
                                                                                                                    Function 000001845C503A40 Relevance: 5.1, APIs: 4, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C503B10
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C503B3A
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C503B50
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C503B7A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 696443088-0
                                                                                                                    • Opcode ID: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
                                                                                                                    • Instruction ID: 8e57e9c47c0c91b85c74fdf310b37a671cc85f468b9c1bb62407fc9c17c0e00a
                                                                                                                    • Opcode Fuzzy Hash: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
                                                                                                                    • Instruction Fuzzy Hash: EA416D32315B5183EB58CF52E458A6EB3A5FB89F80F46C125DE9A43B08DF39C145CB04
                                                                                                                    Function 000001845C4F81A0 Relevance: 5.1, APIs: 4, Instructions: 81memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F8213
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F8258
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F828E
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F829F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                    • Instruction ID: b021d3e20db22dc384ed840fdd73e1c0644c1e2c31e5f928e516ccf68f1c1b8a
                                                                                                                    • Opcode Fuzzy Hash: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                    • Instruction Fuzzy Hash: 89319171311E4183FB988FA2E9547AD63A0FB9AFD0F09C225CE1A4BB85DF38D5918744
                                                                                                                    Function 000001845C4F1210 Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F1274
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F12B9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F12EF
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F1300
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                    • Instruction ID: 503629a583d82f2db71ad6f6d26cd3434a3095504a4ab20d434b4ab9767f3ece
                                                                                                                    • Opcode Fuzzy Hash: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                    • Instruction Fuzzy Hash: 5D31C131300A4283FB588F67E554BAD63A0FB8AFC4F08C220CE0A47B48DF38C6418B48
                                                                                                                    Function 000001845C501EA0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C501F04
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C501F49
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C501F7F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C501F90
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
                                                                                                                    • Instruction ID: 49f9329188b9d6abe498b2bca3c8d2890d877e615598e4e10f98194f18bdf9cd
                                                                                                                    • Opcode Fuzzy Hash: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
                                                                                                                    • Instruction Fuzzy Hash: 6231D231310A5683EB588FA3E5543AEA3A1FB98FC0F08C220DE0A87B48DF38C6408345
                                                                                                                    Function 000001845C4F6FA0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4F7004
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F7049
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F707F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4F7090
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
                                                                                                                    • Instruction ID: b75bfda7276ca02bfb281d32dc2c110b5e880e542f52a4f3397260d3f8504fba
                                                                                                                    • Opcode Fuzzy Hash: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
                                                                                                                    • Instruction Fuzzy Hash: AB318931310A4287EB588F62E554BAE63B1AF89FD4F088225DE0A47B88DF29D6518744
                                                                                                                    Function 000001845C503030 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C503094
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C5030D9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C50310F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C503120
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                    • Instruction ID: 6fb94a90e37f9765f0c36bf6e74c400f00e152602e08781c553fa173a7744c00
                                                                                                                    • Opcode Fuzzy Hash: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                    • Instruction Fuzzy Hash: 03318F71310A5683EB58CFA3E55479DA3A1FB99FC4F08D225CF0A87B88DF28C6558744
                                                                                                                    Function 000001845C4FD8D0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4FD93A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FD97F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FD9B5
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4FD9C6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                    • Instruction ID: 68cb259764e527b6eb98e7c7e5c3ed4dd9c869c01c1d1295c362145bb3e2d0a8
                                                                                                                    • Opcode Fuzzy Hash: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                    • Instruction Fuzzy Hash: 41319131310A4283EB58CFA3E554BAD63A0FB49FD4F08C225CE0A47B88DF28D6558744
                                                                                                                    Function 000001845C4EC150 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4EC1B4
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC1F9
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC22F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EC240
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                    • Instruction ID: 899d251949dcb9c1b32abb36f5aa85d0ed3e3affb51f980d8e97e13321565c8b
                                                                                                                    • Opcode Fuzzy Hash: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                    • Instruction Fuzzy Hash: 9D31A231710A4283EB588FA7E6547AE63A0FB89FC4F08C225CE1A47B88DF38C6418745
                                                                                                                    Function 000001845C4EB170 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32 ref: 000001845C4EB1D4
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                      • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                      • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                      • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                      • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                      • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EB219
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EB24F
                                                                                                                    • VirtualFree.KERNEL32 ref: 000001845C4EB260
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1953590826-0
                                                                                                                    • Opcode ID: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                    • Instruction ID: 5fec0cda7ae777088ad95f40a280965e1a684259b3dd82eeb8ee7aa317baa579
                                                                                                                    • Opcode Fuzzy Hash: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                    • Instruction Fuzzy Hash: EE31D231310A0283EB549F67E658BAD63A1FF89FC0F08C220CE0A47B58DF38C6448309
                                                                                                                    Function 000001845BF48974 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                    • API String ID: 0-4293706295
                                                                                                                    • Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                    • Instruction ID: 2112eeed5991ed57b2554ea9d727f45c05c098cfdd79fe416daec37c3b6cbcc5
                                                                                                                    • Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                    • Instruction Fuzzy Hash: 9421C537612A0397FE54DF55F859BAC23A0AB58F40F48C52888CA833A4EF78D248CB05
                                                                                                                    Function 000001845BF48874 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                    • API String ID: 0-4293706295
                                                                                                                    • Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                    • Instruction ID: ffb873e33f24ff64d72577ffc472100e7d24292a4ee4940022bad741f5a5994a
                                                                                                                    • Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                    • Instruction Fuzzy Hash: E621D637612A0387FE54DF55F859BAC23A0AB59F51F48C428C8CA833A0EF38D248CB05
                                                                                                                    Function 000001845BF48774 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                    • API String ID: 0-4293706295
                                                                                                                    • Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                    • Instruction ID: 2b3f0a30c1259a21c04e86109ef383670515a3d33997fa5eeeaeab5e64445a9a
                                                                                                                    • Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                    • Instruction Fuzzy Hash: A521E737612B0387FE54DF55F859BAC23A0AB58B50F48C428C88A833A0EF3CD248CB05
                                                                                                                    Function 000001845BF48674 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939283482.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939363978.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939386582.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                    • API String ID: 0-4293706295
                                                                                                                    • Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                    • Instruction ID: cde2585cf13153271a4d7d089664989d999627a01a63d61e9ea037d58361e748
                                                                                                                    • Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                    • Instruction Fuzzy Hash: E221D837612B0387FE54DF55F859BAC23A0A758B90F48C428C88E833A0EF38D248CB15
                                                                                                                    Function 000001845C504840 Relevance: 5.0, APIs: 4, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2939705098.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.2939682102.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939746767.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939772311.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.2939794558.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3168844106-0
                                                                                                                    • Opcode ID: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                    • Instruction ID: a58cf18c0dbcabda73001a2cea1a3739616d347a3a1cb37d0de3244666e895dd
                                                                                                                    • Opcode Fuzzy Hash: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                    • Instruction Fuzzy Hash: 1A11E531700F95C7D7149F62A94829DA321FF58FC4F888221EF5667B55CF38C5558348