Edit tour

Windows Analysis Report
2024-12-10#U67e5#U9605_uninst.exe

Overview

General Information

Sample name:	2024-12-10#U67e5#U9605_uninst.exe renamed because original name is a hash value
Original sample name:	2024-12-10_uninst.exe
Analysis ID:	1572748
MD5:	0aa972dc4d2fe4c5f9a7a9d26ea3f51f
SHA1:	2e141f8072836b479572b1d7fa468727011601eb
SHA256:	bb1d91e8f93a1b08b098969e48a12d2f2b8203a30de0c3d85ec8cd36a3fa8049
Tags:	exeSilverFoxuser-NDA0E
Infos:

Detection

ValleyRAT

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Yara detected ValleyRAT

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain checking for user administrative privileges

Hijacks the control flow in another process

Modifies the context of a thread in another process (thread injection)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to create new users

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

2024-12-10#U67e5#U9605_uninst.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe" MD5: 0AA972DC4D2FE4C5F9A7A9D26EA3F51F)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7368 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 7400 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

arphaCrashReport64.exe (PID: 7448 cmdline: "C:\Program Files\Windows Mail\arphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)

svchost.exe (PID: 7500 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 7532 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: svchost.exe PID: 1044	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe", ParentImage: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe, ParentProcessId: 7324, ParentProcessName: 2024-12-10#U67e5#U9605_uninst.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe", ParentImage: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe, ParentProcessId: 7324, ParentProcessName: 2024-12-10#U67e5#U9605_uninst.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000004.00000002.1695190285.0000000180039000.00000002.00000001.01000000.00000005.sdmp, arphaDump64.dll.1.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000004.00000002.1698239793.00007FF7B5E32000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe, 00000004.00000000.1687919776.00007FF7B5E32000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe.1.dr

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E6810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	1_2_000001845C4E6810
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	2_2_0000000180026810
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	3_2_0000000180026810

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DDDD0 malloc,memset,FindFirstFileW,free,	1_2_000001845C4DDDD0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4DC850
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	1_2_000001845C4DE210
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DCCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4DCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	2_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	3_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4ECD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,

1_2_000001845C4ECD30

Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63A83D9D0 WSARecv,WSAGetLastError,

0_2_00007FF63A83D9D0

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: arphaCrashReport64.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4D97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_000001845C4D97D0

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	1_2_000001845C4D97D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D99F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	1_2_000001845C4D99F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E6200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	1_2_000001845C4E6200
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EF1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	1_2_000001845C4EF1B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_000000018002F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_0000000180026200
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00000001800197D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_00000001800199F0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000000018002F1B0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_0000000180026200
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00000001800197D0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_00000001800199F0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DAC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,

1_2_000001845C4DAC60

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DA410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

1_2_000001845C4DA410

Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1687293597.000002C44E45D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_484d75fe-0

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,	0_2_00000001800080F2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,	0_2_0000000180005824
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D2830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	1_2_000001845C4D2830
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D1AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	1_2_000001845C4D1AE0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D1C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	1_2_000001845C4D1C70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_0000000180011AE0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_0000000180011C70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	2_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	3_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_0000000180011AE0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_0000000180011C70

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E05A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,

1_2_000001845C4E05A0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4D5FB0 GetCurrentProcessId,TerminateThread,TerminateProcess,lstrcmpiW,Sleep,ExitThread,memset,lstrcatW,lstrcatW,memset,GetSystemDirectoryW,GetLastError,lstrcatW,lstrcatW,lstrcatW,OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SysAllocString,Sleep,GetCurrentProcess,TerminateProcess,

1_2_000001845C4D5FB0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DFF40 WTSQueryUserToken,GetLastError,DuplicateTokenEx,ConvertStringSidToSidW,GetLengthSid,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,

1_2_000001845C4DFF40

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A9F0A20	0_2_00007FF63A9F0A20
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A85ADD0	0_2_00007FF63A85ADD0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8702E6	0_2_00007FF63A8702E6
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A87B922	0_2_00007FF63A87B922
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A9EE680	0_2_00007FF63A9EE680
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8BDC36	0_2_00007FF63A8BDC36
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C494C	0_2_00007FF63A8C494C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A9EF9A0	0_2_00007FF63A9EF9A0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA0DE04	0_2_00007FF63AA0DE04
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A886D54	0_2_00007FF63A886D54
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA0BD78	0_2_00007FF63AA0BD78
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8BBE7A	0_2_00007FF63A8BBE7A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8BD3CC	0_2_00007FF63A8BD3CC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA10420	0_2_00007FF63AA10420
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8AC430	0_2_00007FF63A8AC430
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8A7926	0_2_00007FF63A8A7926
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C187C	0_2_00007FF63A8C187C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8BA5E2	0_2_00007FF63A8BA5E2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C76F7	0_2_00007FF63A8C76F7
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800080F2	0_2_00000001800080F2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800054D5	0_2_00000001800054D5
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800015B0	0_2_00000001800015B0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180009BC0	0_2_0000000180009BC0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001010	0_2_0000000180001010
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180028038	0_2_0000000180028038
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018002C080	0_2_000000018002C080
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800180EE	0_2_00000001800180EE
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180004153	0_2_0000000180004153
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002170	0_2_0000000180002170
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B1AC	0_2_000000018000B1AC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800151E8	0_2_00000001800151E8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000225E	0_2_000000018000225E
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B280	0_2_000000018000B280
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C2D0	0_2_000000018000C2D0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000435B	0_2_000000018000435B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C370	0_2_000000018000C370
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800033B8	0_2_00000001800033B8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180028464	0_2_0000000180028464
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003464	0_2_0000000180003464
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000947B	0_2_000000018000947B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800044C1	0_2_00000001800044C1
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002526	0_2_0000000180002526
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003530	0_2_0000000180003530
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180007550	0_2_0000000180007550
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800045A9	0_2_00000001800045A9
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000360B	0_2_000000018000360B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B620	0_2_000000018000B620
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002666	0_2_0000000180002666
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000469C	0_2_000000018000469C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B6C0	0_2_000000018000B6C0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800096E0	0_2_00000001800096E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C6F0	0_2_000000018000C6F0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003717	0_2_0000000180003717
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002777	0_2_0000000180002777
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003833	0_2_0000000180003833
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180014848	0_2_0000000180014848
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000284D	0_2_000000018000284D
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003880	0_2_0000000180003880
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000290C	0_2_000000018000290C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800069E0	0_2_00000001800069E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002A06	0_2_0000000180002A06
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001A10	0_2_0000000180001A10
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002A19	0_2_0000000180002A19
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001AA6C	0_2_000000018001AA6C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180006AB0	0_2_0000000180006AB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003AE0	0_2_0000000180003AE0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180023B98	0_2_0000000180023B98
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001FC0C	0_2_000000018001FC0C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002C8A	0_2_0000000180002C8A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180004CB0	0_2_0000000180004CB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003CF2	0_2_0000000180003CF2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001D60	0_2_0000000180001D60
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180016D88	0_2_0000000180016D88
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003DBC	0_2_0000000180003DBC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002E24	0_2_0000000180002E24
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180005E58	0_2_0000000180005E58
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180029E8C	0_2_0000000180029E8C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180024EB0	0_2_0000000180024EB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000BEB0	0_2_000000018000BEB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180008EC0	0_2_0000000180008EC0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001FED8	0_2_000000018001FED8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000DEE8	0_2_000000018000DEE8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180010F18	0_2_0000000180010F18
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180021F44	0_2_0000000180021F44
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180006F70	0_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180001010	1_2_0000000180001010
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180001A10	1_2_0000000180001A10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180001D60	1_2_0000000180001D60
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003833	1_2_0000000180003833
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180028038	1_2_0000000180028038
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180014848	1_2_0000000180014848
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000284D	1_2_000000018000284D
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018002C080	1_2_000000018002C080
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003880	1_2_0000000180003880
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800180EE	1_2_00000001800180EE
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800080F2	1_2_00000001800080F2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000290C	1_2_000000018000290C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180004153	1_2_0000000180004153
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002170	1_2_0000000180002170
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000B1AC	1_2_000000018000B1AC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800069E0	1_2_00000001800069E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800151E8	1_2_00000001800151E8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002A06	1_2_0000000180002A06
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002A19	1_2_0000000180002A19
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003220	1_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000225E	1_2_000000018000225E
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018001AA6C	1_2_000000018001AA6C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000B280	1_2_000000018000B280
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180006AB0	1_2_0000000180006AB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000C2D0	1_2_000000018000C2D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003AE0	1_2_0000000180003AE0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003220	1_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000435B	1_2_000000018000435B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000C370	1_2_000000018000C370
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180023B98	1_2_0000000180023B98
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800033B8	1_2_00000001800033B8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180009BC0	1_2_0000000180009BC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018001FC0C	1_2_000000018001FC0C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180028464	1_2_0000000180028464
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003464	1_2_0000000180003464
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000947B	1_2_000000018000947B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002C8A	1_2_0000000180002C8A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180004CB0	1_2_0000000180004CB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800044C1	1_2_00000001800044C1
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800054D5	1_2_00000001800054D5
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003CF2	1_2_0000000180003CF2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002526	1_2_0000000180002526
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003530	1_2_0000000180003530
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180007550	1_2_0000000180007550
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180016D88	1_2_0000000180016D88
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800045A9	1_2_00000001800045A9
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800015B0	1_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003DBC	1_2_0000000180003DBC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000360B	1_2_000000018000360B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000B620	1_2_000000018000B620
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002E24	1_2_0000000180002E24
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180005E58	1_2_0000000180005E58
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002666	1_2_0000000180002666
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180029E8C	1_2_0000000180029E8C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000469C	1_2_000000018000469C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180024EB0	1_2_0000000180024EB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000BEB0	1_2_000000018000BEB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000B6C0	1_2_000000018000B6C0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180008EC0	1_2_0000000180008EC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018001FED8	1_2_000000018001FED8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800096E0	1_2_00000001800096E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000DEE8	1_2_000000018000DEE8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000C6F0	1_2_000000018000C6F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003717	1_2_0000000180003717
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180010F18	1_2_0000000180010F18
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180021F44	1_2_0000000180021F44
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180006F70	1_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180002777	1_2_0000000180002777
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF374F2	1_2_000001845BF374F2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF474EE	1_2_000001845BF474EE
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF5B480	1_2_000001845BF5B480
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32C80	1_2_000001845BF32C80
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF43C48	1_2_000001845BF43C48
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31C4D	1_2_000001845BF31C4D
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF57438	1_2_000001845BF57438
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32C33	1_2_000001845BF32C33
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF30410	1_2_000001845BF30410
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31B77	1_2_000001845BF31B77
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF36370	1_2_000001845BF36370
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF51344	1_2_000001845BF51344
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32B17	1_2_000001845BF32B17
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF40318	1_2_000001845BF40318
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3D2E8	1_2_000001845BF3D2E8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3BAF0	1_2_000001845BF3BAF0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF4F2D8	1_2_000001845BF4F2D8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF38AE0	1_2_000001845BF38AE0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF382C0	1_2_000001845BF382C0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3AAC0	1_2_000001845BF3AAC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF542B0	1_2_000001845BF542B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3B2B0	1_2_000001845BF3B2B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF33A9C	1_2_000001845BF33A9C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF5928C	1_2_000001845BF5928C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31A66	1_2_000001845BF31A66
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF35258	1_2_000001845BF35258
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32224	1_2_000001845BF32224
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3AA20	1_2_000001845BF3AA20
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32A0B	1_2_000001845BF32A0B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF331BC	1_2_000001845BF331BC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF339A9	1_2_000001845BF339A9
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF309B0	1_2_000001845BF309B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF46188	1_2_000001845BF46188
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31160	1_2_000001845BF31160
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF36950	1_2_000001845BF36950
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31926	1_2_000001845BF31926
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32930	1_2_000001845BF32930
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF330F2	1_2_000001845BF330F2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF348D5	1_2_000001845BF348D5
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF338C1	1_2_000001845BF338C1
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF340B0	1_2_000001845BF340B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3208A	1_2_000001845BF3208A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3887B	1_2_000001845BF3887B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32864	1_2_000001845BF32864
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF57864	1_2_000001845BF57864
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF4F00C	1_2_000001845BF4F00C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF327B8	1_2_000001845BF327B8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF38FC0	1_2_000001845BF38FC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF52F98	1_2_000001845BF52F98
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3B770	1_2_000001845BF3B770
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3375B	1_2_000001845BF3375B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32620	1_2_000001845BF32620
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32EE0	1_2_000001845BF32EE0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3B6D0	1_2_000001845BF3B6D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF35EB0	1_2_000001845BF35EB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3A680	1_2_000001845BF3A680
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF49E6C	1_2_000001845BF49E6C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3165E	1_2_000001845BF3165E
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31E19	1_2_000001845BF31E19
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF32620	1_2_000001845BF32620
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31E06	1_2_000001845BF31E06
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF30E10	1_2_000001845BF30E10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF445E8	1_2_000001845BF445E8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF35DE0	1_2_000001845BF35DE0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF3A5AC	1_2_000001845BF3A5AC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31570	1_2_000001845BF31570
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF33553	1_2_000001845BF33553
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845BF31D0C	1_2_000001845BF31D0C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E0680	1_2_000001845C4E0680
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D2140	1_2_000001845C4D2140
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DF9E0	1_2_000001845C4DF9E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CED50	1_2_000001845C4CED50
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DE550	1_2_000001845C4DE550
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6D44	1_2_000001845C4C6D44
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C656A	1_2_000001845C4C656A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C1D80	1_2_000001845C4C1D80
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E6530	1_2_000001845C4E6530
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EAD30	1_2_000001845C4EAD30
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F8D24	1_2_000001845C4F8D24
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C75D2	1_2_000001845C4C75D2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CF5E0	1_2_000001845C4CF5E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CC5F0	1_2_000001845C4CC5F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CEDF0	1_2_000001845C4CEDF0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4FDE00	1_2_000001845C4FDE00
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E4D90	1_2_000001845C4E4D90
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E5590	1_2_000001845C4E5590
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C9588	1_2_000001845C4C9588
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C2D8A	1_2_000001845C4C2D8A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7DA1	1_2_000001845C4C7DA1
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D8DA0	1_2_000001845C4D8DA0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DB5A0	1_2_000001845C4DB5A0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EBDC0	1_2_000001845C4EBDC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F664B	1_2_000001845C4F664B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F2660	1_2_000001845C4F2660
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C516670	1_2_000001845C516670
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6E10	1_2_000001845C4C6E10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CCE10	1_2_000001845C4CCE10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D3E10	1_2_000001845C4D3E10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E9E10	1_2_000001845C4E9E10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C5E06	1_2_000001845C4C5E06
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CFE20	1_2_000001845C4CFE20
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C1630	1_2_000001845C4C1630
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D6630	1_2_000001845C4D6630
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DAE40	1_2_000001845C4DAE40
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C3EC7	1_2_000001845C4C3EC7
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D76E0	1_2_000001845C4D76E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6EEB	1_2_000001845C4C6EEB
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E4700	1_2_000001845C4E4700
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7E89	1_2_000001845C4C7E89
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CA6A0	1_2_000001845C4CA6A0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C769C	1_2_000001845C4C769C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C519E90	1_2_000001845C519E90
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D9EC0	1_2_000001845C4D9EC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C5F46	1_2_000001845C4C5F46
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D6F60	1_2_000001845C4D6F60
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F3760	1_2_000001845C4F3760
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F6F5F	1_2_000001845C4F6F5F
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C176F	1_2_000001845C4C176F
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D8780	1_2_000001845C4D8780
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E1F80	1_2_000001845C4E1F80
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7F7C	1_2_000001845C4C7F7C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DF710	1_2_000001845C4DF710
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6704	1_2_000001845C4C6704
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C271A	1_2_000001845C4C271A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EA7F0	1_2_000001845C4EA7F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6FF7	1_2_000001845C4C6FF7
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C1F88	1_2_000001845C4C1F88
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D7FA0	1_2_000001845C4D7FA0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F4FA0	1_2_000001845C4F4FA0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D5FB0	1_2_000001845C4D5FB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DEFC0	1_2_000001845C4DEFC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E4FC0	1_2_000001845C4E4FC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E57C0	1_2_000001845C4E57C0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F67B8	1_2_000001845C4F67B8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C4FB5	1_2_000001845C4C4FB5
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DC850	1_2_000001845C4DC850
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6057	1_2_000001845C4C6057
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C1070	1_2_000001845C4C1070
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E7870	1_2_000001845C4E7870
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E8880	1_2_000001845C4E8880
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EE010	1_2_000001845C4EE010
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F0810	1_2_000001845C4F0810
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CB822	1_2_000001845C4CB822
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D38D0	1_2_000001845C4D38D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C20C7	1_2_000001845C4C20C7
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CE8DC	1_2_000001845C4CE8DC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EF890	1_2_000001845C4EF890
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4FA8BC	1_2_000001845C4FA8BC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D5150	1_2_000001845C4D5150
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7160	1_2_000001845C4C7160
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C2971	1_2_000001845C4C2971
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D1180	1_2_000001845C4D1180
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C517C	1_2_000001845C4C517C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C517A	1_2_000001845C4C517A
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CA110	1_2_000001845C4CA110
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7113	1_2_000001845C4C7113
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E4930	1_2_000001845C4E4930
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C612D	1_2_000001845C4C612D
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C504140	1_2_000001845C504140
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CA1E0	1_2_000001845C4CA1E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D99F0	1_2_000001845C4D99F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C61EC	1_2_000001845C4C61EC
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CFA00	1_2_000001845C4CFA00
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D9190	1_2_000001845C4D9190
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DA190	1_2_000001845C4DA190
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C219F	1_2_000001845C4C219F
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CE9B0	1_2_000001845C4CE9B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C5A50	1_2_000001845C4C5A50
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F1270	1_2_000001845C4F1270
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C1264	1_2_000001845C4C1264
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C227C	1_2_000001845C4C227C
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E1A10	1_2_000001845C4E1A10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E5A10	1_2_000001845C4E5A10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D8230	1_2_000001845C4D8230
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C3A32	1_2_000001845C4C3A32
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EAA30	1_2_000001845C4EAA30
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7A33	1_2_000001845C4C7A33
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DEA40	1_2_000001845C4DEA40
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DAAD0	1_2_000001845C4DAAD0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EB2D0	1_2_000001845C4EB2D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F5AD0	1_2_000001845C4F5AD0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CD2F0	1_2_000001845C4CD2F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C62E6	1_2_000001845C4C62E6
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C3300	1_2_000001845C4C3300
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6B00	1_2_000001845C4C6B00
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E9300	1_2_000001845C4E9300
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C62F9	1_2_000001845C4C62F9
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E7290	1_2_000001845C4E7290
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CFAA0	1_2_000001845C4CFAA0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C4A98	1_2_000001845C4C4A98
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D2B50	1_2_000001845C4D2B50
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E4B60	1_2_000001845C4E4B60
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E5340	1_2_000001845C4E5340
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C5B3E	1_2_000001845C4C5B3E
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D73D0	1_2_000001845C4D73D0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C83E0	1_2_000001845C4C83E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C2BD6	1_2_000001845C4C2BD6
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C13F7	1_2_000001845C4C13F7
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CCBAB	1_2_000001845C4CCBAB
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C73C0	1_2_000001845C4C73C0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E3BC0	1_2_000001845C4E3BC0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC4B	1_2_000001845C4EFC4B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC5D	1_2_000001845C4EFC5D
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC54	1_2_000001845C4EFC54
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C3470	1_2_000001845C4C3470
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E3464	1_2_000001845C4E3464
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4CAC80	1_2_000001845C4CAC80
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D4410	1_2_000001845C4D4410
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C8C05	1_2_000001845C4C8C05
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6B00	1_2_000001845C4C6B00
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DD420	1_2_000001845C4DD420
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F0C20	1_2_000001845C4F0C20
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC30	1_2_000001845C4EFC30
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC27	1_2_000001845C4EFC27
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC42	1_2_000001845C4EFC42
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EFC39	1_2_000001845C4EFC39
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C7C3B	1_2_000001845C4C7C3B
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C2CD2	1_2_000001845C4C2CD2
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C54E0	1_2_000001845C4C54E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E24E0	1_2_000001845C4E24E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DCCF0	1_2_000001845C4DCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F34F0	1_2_000001845C4F34F0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E5C90	1_2_000001845C4E5C90
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F5C90	1_2_000001845C4F5C90
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4F6C9E	1_2_000001845C4F6C9E
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C6C98	1_2_000001845C4C6C98
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4D9CB0	1_2_000001845C4D9CB0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E44B0	1_2_000001845C4E44B0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4C3CA6	1_2_000001845C4C3CA6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180012140	2_2_0000000180012140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180015150	2_2_0000000180015150
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800224E0	2_2_00000001800224E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180020680	2_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800176E0	2_2_00000001800176E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001F9E0	2_2_000000018001F9E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001AAD0	2_2_000000018001AAD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180013E10	2_2_0000000180013E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006FF7	2_2_0000000180006FF7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002E010	2_2_000000018002E010
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006057	2_2_0000000180006057
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001070	2_2_0000000180001070
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800020C7	2_2_00000001800020C7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000A110	2_2_000000018000A110
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180007113	2_2_0000000180007113
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000612D	2_2_000000018000612D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180044140	2_2_0000000180044140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180007160	2_2_0000000180007160
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000517A	2_2_000000018000517A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000517C	2_2_000000018000517C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180011180	2_2_0000000180011180
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001A190	2_2_000000018001A190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180019190	2_2_0000000180019190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000219F	2_2_000000018000219F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000A1E0	2_2_000000018000A1E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800061EC	2_2_00000001800061EC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180018230	2_2_0000000180018230
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001264	2_2_0000000180001264
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180031270	2_2_0000000180031270
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000227C	2_2_000000018000227C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180027290	2_2_0000000180027290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002B2D0	2_2_000000018002B2D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800642E0	2_2_00000001800642E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800062E6	2_2_00000001800062E6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000D2F0	2_2_000000018000D2F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800062F9	2_2_00000001800062F9
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180029300	2_2_0000000180029300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003300	2_2_0000000180003300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180062327	2_2_0000000180062327
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180025340	2_2_0000000180025340
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018005B380	2_2_000000018005B380
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800073C0	2_2_00000001800073C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800173D0	2_2_00000001800173D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800083E0	2_2_00000001800083E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800013F7	2_2_00000001800013F7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018004C410	2_2_000000018004C410
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180014410	2_2_0000000180014410
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001D420	2_2_000000018001D420
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180023464	2_2_0000000180023464
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003470	2_2_0000000180003470
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800244B0	2_2_00000001800244B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800054E0	2_2_00000001800054E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800334F0	2_2_00000001800334F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180026530	2_2_0000000180026530
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001E550	2_2_000000018001E550
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000656A	2_2_000000018000656A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180009588	2_2_0000000180009588
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180025590	2_2_0000000180025590
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001B5A0	2_2_000000018001B5A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800075D2	2_2_00000001800075D2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000F5E0	2_2_000000018000F5E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000C5F0	2_2_000000018000C5F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180016630	2_2_0000000180016630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001630	2_2_0000000180001630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018003664B	2_2_000000018003664B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180032660	2_2_0000000180032660
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180056670	2_2_0000000180056670
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000769C	2_2_000000018000769C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000A6A0	2_2_000000018000A6A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800486E0	2_2_00000001800486E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180024700	2_2_0000000180024700
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006704	2_2_0000000180006704
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001F710	2_2_000000018001F710
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000271A	2_2_000000018000271A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180033760	2_2_0000000180033760
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180063770	2_2_0000000180063770
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000176F	2_2_000000018000176F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180018780	2_2_0000000180018780
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180052790	2_2_0000000180052790
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800367B8	2_2_00000001800367B8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800257C0	2_2_00000001800257C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002A7F0	2_2_000000018002A7F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180030810	2_2_0000000180030810
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000B822	2_2_000000018000B822
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001C850	2_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180027870	2_2_0000000180027870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180028880	2_2_0000000180028880
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002F890	2_2_000000018002F890
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018003A8BC	2_2_000000018003A8BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800138D0	2_2_00000001800138D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000E8DC	2_2_000000018000E8DC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180024930	2_2_0000000180024930
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002971	2_2_0000000180002971
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000E9B0	2_2_000000018000E9B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800199F0	2_2_00000001800199F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180053A00	2_2_0000000180053A00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000FA00	2_2_000000018000FA00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180021A10	2_2_0000000180021A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180025A10	2_2_0000000180025A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002AA30	2_2_000000018002AA30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003A32	2_2_0000000180003A32
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180007A33	2_2_0000000180007A33
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001EA40	2_2_000000018001EA40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180005A50	2_2_0000000180005A50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180004A98	2_2_0000000180004A98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000FAA0	2_2_000000018000FAA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180035AD0	2_2_0000000180035AD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006B00	2_2_0000000180006B00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180005B3E	2_2_0000000180005B3E
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180012B50	2_2_0000000180012B50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180024B60	2_2_0000000180024B60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000CBAB	2_2_000000018000CBAB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180023BC0	2_2_0000000180023BC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002BD6	2_2_0000000180002BD6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180008C05	2_2_0000000180008C05
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180030C20	2_2_0000000180030C20

Source: Joe Sandbox View

Dropped File: C:\Program Files\Windows Mail\arphaCrashReport64.exe E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271

Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180041800 appears 91 times
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: String function: 00007FF63A826BB0 appears 64 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180041800 appears 91 times

Source: 2024-12-10#U67e5#U9605_uninst.exe	Binary or memory string: OriginalFilename vs 2024-12-10#U67e5#U9605_uninst.exe
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs 2024-12-10#U67e5#U9605_uninst.exe
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs 2024-12-10#U67e5#U9605_uninst.exe

Source: classification engine

Classification label: mal92.troj.evad.winEXE@11/5@1/2

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E0680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	1_2_000001845C4E0680
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DFD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	1_2_000001845C4DFD10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4ECE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	1_2_000001845C4ECE70
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E7870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4E7870
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E9A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	1_2_000001845C4E9A70
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E9300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4E9300
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E7290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4E7290
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E0480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	1_2_000001845C4E0480
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	2_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0000000180027290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0000000180029300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	2_2_0000000180020480
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0000000180027870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	2_2_0000000180029A70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	2_2_000000018001FD10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	2_2_000000018002CE70
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180027290
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180029300
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	3_2_0000000180020480
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	3_2_0000000180020680
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180027870
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	3_2_0000000180029A70
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	3_2_000000018001FD10
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	3_2_000000018002CE70

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DC4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,

1_2_000001845C4DC4E0

Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	1_2_000001845C4E63C0
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	2_2_00000001800263C0
Source: C:\Windows\System32\dllhost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	3_2_00000001800263C0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4EC950 memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_000001845C4EC950

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,

0_2_0000000180001A10

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63A844810 LoadResource,LockResource,SizeofResource,

0_2_00007FF63A844810

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4D2140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,

1_2_000001845C4D2140

Source: C:\Windows\System32\svchost.exe

File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}

Source: unknown	Process created: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: arphadump64.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static file information: File size 2319360 > 1048576

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1fde00

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000004.00000002.1695190285.0000000180039000.00000002.00000001.01000000.00000005.sdmp, arphaDump64.dll.1.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1686726549.000002C44DFF0000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2919665024.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2925789716.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000004.00000002.1698239793.00007FF7B5E32000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe, 00000004.00000000.1687919776.00007FF7B5E32000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe.1.dr

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

1_2_000001845C4E4080

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C7CA5 push rdi; retf	0_2_00007FF63A8C7CA6
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C8B14 push rax; ret	0_2_00007FF63A8C8B15
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C8379 push rbx; ret	0_2_00007FF63A8C837A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8C755A push rbx; retf	0_2_00007FF63A8C7560
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DC3E0 push rcx; ret	1_2_000001845C4DC3E1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001C3E0 push rcx; ret	2_2_000000018001C3E1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800619F7 push FF491775h; ret	2_2_00000001800619FC
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001C3E0 push rcx; ret	3_2_000000018001C3E1
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_00000001800619F7 push FF491775h; ret	3_2_00000001800619FC

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E30FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,

1_2_000001845C4E30FE

Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe			Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaDump64.dll			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4ED060 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_000001845C4ED060

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DBFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,

1_2_000001845C4DBFC0

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\System32\dllhost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Windows\System32\svchost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode	graph_0-49548

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4D6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

1_2_000001845C4D6F60

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	0_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	1_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	1_2_000001845C4ED140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4EF890
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	2_2_000000018002D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_000000018002F890
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_000000018002D140
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018002F890

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Window / User API: threadDelayed 6658

Jump to behavior

Source: C:\Windows\System32\svchost.exe	API coverage: 4.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\dllhost.exe	API coverage: 3.2 %

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7352	Thread sleep count: 6658 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7352	Thread sleep time: -66580s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DDDD0 malloc,memset,FindFirstFileW,free,	1_2_000001845C4DDDD0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4DC850
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	1_2_000001845C4DE210
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DCCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_000001845C4DCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	2_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	3_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4ECD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,

1_2_000001845C4ECD30

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63A828CF2 GetSystemInfo,

0_2_00007FF63A828CF2

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: svchost.exe, 00000001.00000000.1663519946.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1684021102.000002C44C3DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: dllhost.exe, 00000006.00000002.2921187707.0000020EEF7BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.1684021102.000002C44C3DF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1663537334.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2922208348.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2922212863.000002397F413000.00000004.00000020.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000004.00000002.1696340165.000001F74496C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921113475.000001D0C9A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dllhost.exe, 00000003.00000002.2920913245.00000270092CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllff

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	API call chain: ExitProcess graph end node			graph_0-49554
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4EE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,

1_2_000001845C4EE010

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63AA06EF8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF63AA06EF8

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63AA016A4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF63AA016A4

Source: C:\Windows\System32\svchost.exe

1_2_000001845C4D6F60

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC

2_2_0000000180034DA0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

1_2_000001845C4E4080

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63A8274A0 GetProcessHeap,

0_2_00007FF63A8274A0

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA06EF8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF63AA06EF8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA00E60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF63AA00E60
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63AA012BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF63AA012BC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001801127E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001801127E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001801127E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00000001801127E0
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C520030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_000001845C520030
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0000000180060030
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0000000180064130
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0000000180060770
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180060030
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180064130
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180060770

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: arphaCrashReport64.exe.1.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845BE00000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B390000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845C370000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845C380000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845C410000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845C420000 protect: page read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4DF9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,

1_2_000001845C4DF9E0

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E9E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	1_2_000001845C4E9E10
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4DF710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	1_2_000001845C4DF710
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4EE4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	1_2_000001845C4EE4D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	2_2_000000018002E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	2_2_000000018001F710
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	2_2_0000000180029E10
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	3_2_000000018002E4D0
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	3_2_000000018001F710
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	3_2_0000000180029E10

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74513B0C3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74514D1CC	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140883	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x1F74514D88C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x1F745140727	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x1F74514D52B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x1F74514D84B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74512E173	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x1F74514052B
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745132212	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x1F74512B93E	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQueryInformationProcess: Direct from: 0x1F7451291B3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtUnmapViewOfSection: Direct from: 0x1F74514C9C4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74512D3EB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F7451409C4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F7451408EE	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x1F74513216D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140A2F	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x1F74513244C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745128FB0	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74512B8AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74514069D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140818	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x1F745129000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x1F74514D89D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x1F74512E6D2	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x1F74514D4F8	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74513B08C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140544	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x1F745140741
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74513B131	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x1F74514C984	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x1F74512C5C9	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74513AFDD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x1F745140511	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74513B0FA	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x1F74512E8B1	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140959	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745128494	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F74512E4F4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x1F74514CA47
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140758	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F7451407AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F745140A9A	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1F7451321DB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x1F74512E065	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtUnmapViewOfSection: Direct from: 0x1F74514C9A7	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Memory written: PID: 1044 base: 1845B370000 value: E9

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7368	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7500	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7400	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7532	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B370000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845BE00000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 270091A0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 27009230000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 27009190000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845C370000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845C380000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845C410000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845C420000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 20EEF530000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 20EEF5C0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 20EEF520000	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	1_2_000001845C4D2140
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	2_2_0000000180012140
Source: C:\Windows\System32\dllhost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	3_2_0000000180012140

Source: C:\Windows\System32\svchost.exe

1_2_000001845C4EE010

Source: C:\Windows\System32\svchost.exe

1_2_000001845C4EE010

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior

Source: svchost.exe, 00000002.00000003.2918301064.0000023900B40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2921666834.0000023900B40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2918329668.0000023900B20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000002.00000003.2314289158.0000023900C60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2314477801.0000023900BE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2328737234.000001D0CB110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TCPProgram ManagerT
Source: svchost.exe, 00000002.00000003.2918545090.0000023900BE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2918351000.0000023900C60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TCPProgram Manager
Source: svchost.exe, 00000002.00000003.2314269589.0000023900B40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2314244751.0000023900B20000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000003.00000003.2294706815.000002700B8B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerT

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_000000018002BBA8 cpuid

0_2_000000018002BBA8

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E7E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,

1_2_000001845C4E7E20

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF63AA0F09C GetSystemTimeAsFileTime,

0_2_00007FF63AA0F09C

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000001845C4E24E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

1_2_000001845C4E24E0

Stealing of Sensitive Information

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Remote Access Functionality

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A858C00 WSAGetLastError,socket,WSAGetLastError,bind,WSAGetLastError,bind,WSAGetLastError,	0_2_00007FF63A858C00
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A8549E0 socket,bind,WSAGetLastError,WSAGetLastError,WSAGetLastError,	0_2_00007FF63A8549E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF63A846320 socket,bind,SetLastError,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,	0_2_00007FF63A846320
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C4E1520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	1_2_000001845C4E1520
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C507630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	1_2_000001845C507630
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C50A830 socket,socket,htonl,bind,getsockname,	1_2_000001845C50A830
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000001845C516B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	1_2_000001845C516B30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	2_2_0000000180021520
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	2_2_0000000180047630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018004A830 socket,socket,htonl,bind,getsockname,	2_2_000000018004A830
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	2_2_0000000180056B30
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	3_2_0000000180021520
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	3_2_0000000180047630
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_000000018004A830 socket,socket,htonl,bind,getsockname,	3_2_000000018004A830
Source: C:\Windows\System32\dllhost.exe	Code function: 3_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	3_2_0000000180056B30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	12 Windows Service	11 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	12 Service Execution	1 Scheduled Task/Job	12 Windows Service	1 DLL Side-Loading	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	623 Process Injection	12 Masquerading	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	21 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	4 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	623 Process Injection	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	4%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.47.188	true	false		high
www.baidu.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.154.172.193	unknown	Japan		4249	LILLY-ASUS	false
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572748
Start date and time:	2024-12-10 20:48:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2024-12-10#U67e5#U9605_uninst.exe renamed because original name is a hash value
Original Sample Name:	2024-12-10_uninst.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@11/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 37 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 2024-12-10#U67e5#U9605_uninst.exe

Simulations

Behavior and APIs

Time	Type	Description
14:49:49	API Interceptor	4254x Sleep call for process: svchost.exe modified
19:48:57	Task Scheduler	Run new task: MicrosoftEdgeUpdate path: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.47.188	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	b6FArHy7yA.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	360safe.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://profdentalcare.com	Get hash	malicious	Unknown	Browse	103.235.46.96
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	103.235.47.188
	https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	kHslwiV2w6.exe	Get hash	malicious	FormBook	Browse	103.235.47.188

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	hax.mpsl.elf	Get hash	malicious	Mirai	Browse	182.61.224.158
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	180.76.229.255
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	.akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	106.13.55.248
	b6FArHy7yA.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	360safe.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	arm7.elf	Get hash	malicious	Mirai	Browse	106.13.224.235
	splarm.elf	Get hash	malicious	Unknown	Browse	180.76.142.163
LILLY-ASUS	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	43.153.180.60
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	43.75.63.212
	Josho.m68k.elf	Get hash	malicious	Unknown	Browse	40.171.24.94
	Josho.mpsl.elf	Get hash	malicious	Unknown	Browse	42.139.61.210
	hax.spc.elf	Get hash	malicious	Mirai	Browse	42.171.217.5
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	43.175.135.109
	hax.arm7.elf	Get hash	malicious	Mirai	Browse	42.175.33.200
	hax.mpsl.elf	Get hash	malicious	Mirai	Browse	40.225.254.87
	hax.sh4.elf	Get hash	malicious	Mirai	Browse	40.223.139.135
	hax.arm5.elf	Get hash	malicious	Mirai	Browse	40.218.241.92

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	png131.exe	Get hash	malicious	ValleyRAT	Browse
	install.exe	Get hash	malicious	ValleyRAT	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	Cbrome1.0.exe	Get hash	malicious	Unknown	Browse
	Supe.exe	Get hash	malicious	Unknown	Browse
	Cbrome1.0.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238384
Entropy (8bit):	6.278635939854228
Encrypted:	false
SSDEEP:	3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
MD5:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
SHA1:	DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
SHA-256:	E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
SHA-512:	1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: png131.exe, Detection: malicious, Browse Filename: install.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: Cbrome1.0.exe, Detection: malicious, Browse Filename: Supe.exe, Detection: malicious, Browse Filename: Cbrome1.0.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

C:\Program Files\Windows Mail\arphaDump64.bin

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	546252
Entropy (8bit):	6.544066734855226
Encrypted:	false
SSDEEP:	12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYS:flXDp9HPYlr5
MD5:	41A525ADD2B2B33FB9681C0E65E57B55
SHA1:	FC90352608D96D0454A2F51D7EEC7B6ECA687505
SHA-256:	3EE9E55C4C469042C3622D84CB4DA2EBCFA77C1D2517564AC289BA5D17264D64
SHA-512:	4CEB617727D6CF40E81E715BA2FBDB440859B3DC2DAC592FDAE93EB5577CDE341191AA98A87D3CFF3AF9D2CE95C465A71D7FC0CF004243C947F781BB0C263CD1
Malicious:	false
Reputation:	low
Preview:	4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s\|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.\|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

C:\Program Files\Windows Mail\arphaDump64.dll

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	6.3893906748659095
Encrypted:	false
SSDEEP:	3072:HxZrTgN6uyqfkqc53wuY+OrGW2LRKK9+R/BsP3VkxQO6yOxaXLNC3dvMvuTYpr:fsxkmyLRKiM/BsNd3yGaXpruT2r
MD5:	A0DDABA09C3626E07A748C662B83BE19
SHA1:	C28FA5C63075CD8846143F417A0C0D4874675B0F
SHA-256:	31E1AA8C30756D56F8E0038D37AAAC5A53976D1DB05D3534B8B2E1AA21407B4B
SHA-512:	59BAD78B84C4DA7097E87BA67CEB3CEB6F72774FEA78FBD7E2168E548A7860197708AD96CC5010A2D5669427BC916F5CC24F5F27AF8B474AC62DE620C757B41F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K+...Js..Js..Js.D2p..Js.D2v..Js.D2w..Js...p..Js...w..Js...v.,Js.D2r..Js..Jr.jJs...z..Js...s..Js.....Js...q..Js.Rich.Js.................PE..d....DDg.........." ...*.............^....................................................`..........................................,.......-..<............p..........................p.......................(.......@............................................text...P~.......................... ..`.rdata.............................@..@.data....&...@.......,..............@....pdata.......p.......B..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	3.559862861079417
Encrypted:	false
SSDEEP:	48:yei1q9tNTPQOYZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTCp+++:t7U4diaigVA9ll7dhFFb+
MD5:	53DCF71FCE78EA4C7B41FB4D973E5815
SHA1:	46FB4C836823ABC49A153F6385D66C5F9E0CA30D
SHA-256:	464DAC2210C387ADA19C7DF46AE18B628E1D8F9EA34DD7EDF812289CFECAF4DB
SHA-512:	BF9C4DBEC061FE85A099C4D8E31C09B75F9B8CDDD554CA0F241A63E08B463242A30272B423C0ED9F5A38844A89924530C358442EB898837CC00B1368C439008B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .E.d.g.e. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.e.r.I.d.

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.711019165288102
Encrypted:	false
SSDEEP:	96:pYMguQII4ij6h4aGdinipV9ll7UY5HAmzQ+:9A4L/xne7HO+
MD5:	B09EE389FED6402C80024A5082984BC0
SHA1:	4CA5CFB1B224A69C0BDF9EB17F6897B1ACFEA8A4
SHA-256:	F91EE59F8FFAB6027C46C37E1DB4AE8D1F5B50F26D5957299354ABDA5D4EDE18
SHA-512:	50C4C96A2BEFCD688186BDAE1A68385BD76A0BB52C766DE2EEF7F33836BBC6C625EDB7BD403F5634B688A93065978B60A133E569E325E47DEA9A4296116C5526
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.132204010116387
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2024-12-10#U67e5#U9605_uninst.exe
File size:	2'319'360 bytes
MD5:	0aa972dc4d2fe4c5f9a7a9d26ea3f51f
SHA1:	2e141f8072836b479572b1d7fa468727011601eb
SHA256:	bb1d91e8f93a1b08b098969e48a12d2f2b8203a30de0c3d85ec8cd36a3fa8049
SHA512:	fcfad174c11e8085161afeebb0b4380bf82105ff3e108f09e115be7e51ef53a24159f12637862cdca4f770019fdaf78972966a81d406eedcc75a1b104fa072a0
SSDEEP:	49152:soQVMCMbSwPwOTINyDiSym2GBKhrKhpYVNw:WZoPZI0D3yLGB6wpYVNw
TLSH:	94B58D58258E8EA1F56F70B8990092D2DF22F52442B087FB37C5D655352A26CC8FFBC6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..)...z...z...zB..{...zB..{...zB..{...z[..{...z[..{...z[..{;..z...z...z...{...zB..{...z...z...z...{...z...{...zRich...z.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1401e0afc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757D86F [Tue Dec 10 05:58:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	30e5e37178bcd33feee09c46955e53d9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB15CDA3F4Ch
dec eax
add esp, 28h
jmp 00007FB15CDA33BFh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007FB15CDA3551h
dec eax
mov ecx, ebx
call 00007FB15CDB3682h
test eax, eax
je 00007FB15CDA3555h
dec eax
mov ecx, ebx
call 00007FB15CDA942Ah
dec eax
test eax, eax
je 00007FB15CDA3529h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007FB15CDA3548h
call 00007FB15CDA4084h
int3
call 00007FB15CDA409Eh
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
mov edx, 00000FA0h
dec eax
lea ecx, dword ptr [00050A06h]
call dword ptr [0001E510h]
dec eax
lea ecx, dword ptr [00025401h]
call dword ptr [0001E6A3h]
dec eax
mov ebx, eax
dec eax
test eax, eax
jne 00007FB15CDA3557h
dec eax
lea ecx, dword ptr [00025434h]
call dword ptr [0001E68Eh]
dec eax
mov ebx, eax
dec eax
test eax, eax
je 00007FB15CDA35C1h
dec eax
lea edx, dword ptr [0002543Fh]
dec eax
mov ecx, ebx
call dword ptr [0001E5A6h]
dec eax
lea edx, dword ptr [0002544Fh]
dec eax
mov ecx, ebx
dec eax
mov edi, eax
call dword ptr [0001E593h]
dec eax
test edi, edi
je 00007FB15CDA3557h
dec eax
test eax, eax
je 00007FB15CDA3552h
dec eax
mov dword ptr [000009CAh], edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x217cb4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x233000	0x7e78	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23b000	0x18d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x210750	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x210900	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x210790	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ff000	0x590	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fdc40	0x1fde00	abc775d348f8fcdba8ba056dc90b6a66	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ff000	0x19e0c	0x1a000	ad081c80f064c5b3d90710fd215ad089	False	0.3142841045673077	data	4.61868901075285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x219000	0x1986c	0x14800	65b50643df565d23f37475f99d8a275a	False	0.8717487614329268	DIY-Thermocam raw data (Lepton 2.x), scale 20575-8256, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 214.254868	7.671876601140216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x233000	0x7e78	0x8000	b714e5ad635fdebcddda0a616c83f649	False	0.45068359375	data	5.558361042678715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23b000	0x18d4	0x1a00	a68bb8e43de5a6407a0e583bf4cb460c	False	0.3073918269230769	data	5.379536810924863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	Sleep, LocalFree, WriteConsoleW, InitializeCriticalSectionEx, GetLastError, DecodePointer, DeleteCriticalSection, RaiseException, GetProcessHeap, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, CreateEventA, InitializeCriticalSectionAndSpinCount, InitializeConditionVariable, CloseHandle, GetSystemInfo, ResetEvent, PostQueuedCompletionStatus, WaitForSingleObject, EnterCriticalSection, SetEvent, GetQueuedCompletionStatus, GetCurrentThreadId, LeaveCriticalSection, GetExitCodeThread, TerminateThread, SetLastError, CreateTimerQueue, InitializeSRWLock, DeleteTimerQueueEx, lstrlenA, CreateFileA, GetFileSize, CreateFileMappingA, MapViewOfFileEx, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleA, GetProcAddress, GetCurrentThread, WakeConditionVariable, CreateIoCompletionPort, WakeAllConditionVariable, SwitchToThread, SleepConditionVariableCS, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, GetNativeSystemInfo, CreateTimerQueueTimer, WaitForMultipleObjects, UnmapViewOfFile, AcquireSRWLockShared, ReleaseSRWLockShared, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, lstrcatA, lstrcatW, VirtualAlloc, GetCurrentProcessId, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwindEx, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetFileType, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, CreateFileW
SHLWAPI.dll	StrChrA
USER32.dll	MsgWaitForMultipleObjects, TranslateMessage, UnregisterClassA, PeekMessageA, DispatchMessageA
WS2_32.dll	getsockname, getpeername, ntohl, htonl, WSAIoctl, setsockopt, getsockopt, ioctlsocket, send, shutdown, closesocket, WSASend, WSASetLastError, inet_pton, ntohs, __WSAFDIsSet, WSAStartup, WSACleanup, socket, bind, listen, WSAGetOverlappedResult, connect, WSACreateEvent, WSAEventSelect, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, recv, WSAResetEvent, WSACloseEvent, WSAGetLastError, freeaddrinfo, getaddrinfo, inet_ntop, htons, select, WSAStringToAddressA, WSARecv
WINMM.dll	timeGetTime
SHELL32.dll	CommandLineToArgvW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:48:56.107781887 CET	49730	80	192.168.2.4	103.235.47.188
Dec 10, 2024 20:48:56.227516890 CET	80	49730	103.235.47.188	192.168.2.4
Dec 10, 2024 20:48:56.227754116 CET	49730	80	192.168.2.4	103.235.47.188
Dec 10, 2024 20:48:57.595433950 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:48:57.715226889 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:48:57.715336084 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:48:57.808696032 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:48:57.930028915 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:48:58.938450098 CET	49730	80	192.168.2.4	103.235.47.188
Dec 10, 2024 20:48:59.242044926 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:48:59.285109043 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:48:59.340114117 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:48:59.463165998 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:48:59.998645067 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:00.124685049 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:00.124761105 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:00.124926090 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:00.245006084 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:01.652539968 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:01.705017090 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:01.988873959 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:02.111066103 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:09.470652103 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:09.590239048 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:12.111279011 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:12.230902910 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:19.595693111 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:19.716212034 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:22.236279964 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:22.356534004 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:29.720675945 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:29.840332031 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:32.361455917 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:32.481940985 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:39.845693111 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:39.965178967 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:42.486428976 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:42.605894089 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:49.970822096 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:50.090223074 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:49:52.611330032 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:49:52.733249903 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:00.095706940 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:00.215064049 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:01.552089930 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:01.671542883 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:02.736428976 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:02.856194973 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:02.999219894 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:03.119035006 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:11.689459085 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:11.809035063 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:13.127335072 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:13.250214100 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:21.814479113 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:21.936803102 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:23.267589092 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:23.386888981 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:31.939493895 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:32.061321974 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:33.392721891 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:33.512592077 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:42.080100060 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:42.199404001 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:43.517611980 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:43.637032032 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:52.205213070 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:52.324856997 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:50:53.642636061 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:50:53.761924982 CET	80	49732	43.154.172.193	192.168.2.4
Dec 10, 2024 20:51:01.958594084 CET	49731	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:51:02.078104019 CET	80	49731	43.154.172.193	192.168.2.4
Dec 10, 2024 20:51:03.596160889 CET	49732	80	192.168.2.4	43.154.172.193
Dec 10, 2024 20:51:03.715568066 CET	80	49732	43.154.172.193	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:48:55.950741053 CET	57147	53	192.168.2.4	1.1.1.1
Dec 10, 2024 20:48:56.088651896 CET	53	57147	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 20:48:55.950741053 CET	192.168.2.4	1.1.1.1	0x3e7b	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 20:48:56.088651896 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 20:48:56.088651896 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 20:48:56.088651896 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Dec 10, 2024 20:48:56.088651896 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	43.154.172.193	80	7368	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 20:48:57.808696032 CET	56	OUT	Data Raw: 21 27 12 28 15 11 15 2d 02 20 1e 23 27 12 2f 0b 0d 2f 02 01 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: !'(- #'//::::::::::::::::::::::::::::::::=8
Dec 10, 2024 20:48:59.242044926 CET	85	IN	Data Raw: 1b 1c 23 2b 0e 23 1a 22 2d 2b 26 2b 28 27 2f 1f 01 2d 2f 0f 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a d7 8a df 8a 9a 00 00 bc Data Ascii: #+#"-+&+('/-/::::::::::::::::;:::^:::':::::::=8xcVV`a
Dec 10, 2024 20:48:59.340114117 CET	830	OUT	Data Raw: 1b 1c 23 2b 0e 23 1a 22 2d 2b 26 2b 28 27 2f 1f 01 2d 2f 0f 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 08 13 3a 3a 3c 39 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 59 df 6b 1a 41 10 2e e6 c5 a8 b5 79 f0 21 48 28 25 94 52 4a e9 53 9f Data Ascii: #+#"-+&+('/-/::::::::::::::::;:::::<9::::::=8xYkA.y!H(%RJSR(aG$!MHITol=\v]7ID(S6A)>%sTG[-S/:--tpLS6\E>8f3{5W`Bk78XR^LwH;NgNjGY\|!p
Dec 10, 2024 20:49:09.470652103 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:19.595693111 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:29.720675945 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:39.845693111 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:49.970822096 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:50:00.095706940 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:50:01.552089930 CET	631	OUT	Data Raw: 16 1d 29 2c 29 10 16 1f 04 0f 20 06 2f 07 05 1d 0d 29 2c 1c 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 6c 1b 3a 3a 05 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 41 4b eb 40 10 86 77 12 de c5 83 07 29 22 22 2a 22 f2 f0 e0 e9 c3 Data Ascii: ),) /),::::::::::::::::2::l::8::::::=8xXAK@w)""*"(Hj\|4mZQVlSkmk"0~3iEr!FwTA<~\f>v#d%.O9brJ]A\R);$H_$P8f\|JK},u)'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	43.154.172.193	80	7500	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 20:49:00.124926090 CET	56	OUT	Data Raw: 1b 1c 23 2b 0e 23 1a 22 2d 2b 26 2b 28 27 2f 1f 01 2d 2f 0f 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: #+#"-+&+('/-/::::::::::::::::::::::::::::::::=8
Dec 10, 2024 20:49:01.652539968 CET	85	IN	Data Raw: 11 11 1b 15 0e 17 23 20 1c 1f 2a 0c 19 2e 0c 19 0b 19 13 09 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a d7 8a df 8a 9a 00 00 bc Data Ascii: # *.::::::::::::::::;:::^:::':::::::=8xcVV`a
Dec 10, 2024 20:49:01.988873959 CET	803	OUT	Data Raw: 12 14 03 05 13 0c 2b 20 1d 13 2e 03 02 2b 1f 23 05 20 19 24 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 26 13 3a 3a d1 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 df 6f 12 41 10 36 f4 85 02 d6 3e f0 d0 90 c6 98 46 8d 31 c6 27 9f Data Ascii: + .+# $::::::::::::::::;:::&::8::::::=8xXoA6>F1'&#HCiiZpD"nofvgvv$H"#/'-1"ehK]G,M)pPl&voSVUv,?Nq3<A_Im)9OS
Dec 10, 2024 20:49:12.111279011 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:22.236279964 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:32.361455917 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:42.486428976 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:49:52.611330032 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:50:02.736428976 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:50:02.999219894 CET	631	OUT	Data Raw: 15 09 26 1c 24 0b 1e 1c 04 0b 2c 02 0a 05 15 0b 13 07 27 01 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 6c 1b 3a 3a 05 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 41 4b eb 40 10 86 77 12 de c5 83 07 29 22 22 2a 22 f2 f0 e0 e9 c3 Data Ascii: &$,'::::::::::::::::2::l::8::::::=8xXAK@w)""*"(Hj\|4mZQVlSkmk"0~3iEr!FwTA<~\f>v#d%.O9brJ]A\R);$H_$P8f\|JK},u)'

Target ID:	0
Start time:	14:48:54
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe"
Imagebase:	0x7ff63a820000
File size:	2'319'360 bytes
MD5 hash:	0AA972DC4D2FE4C5F9A7A9D26EA3F51F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:48:55
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:48:56
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:48:56
Start date:	10/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:48:57
Start date:	10/12/2024
Path:	C:\Program Files\Windows Mail\arphaCrashReport64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Imagebase:	0x7ff7b5e10000
File size:	238'384 bytes
MD5 hash:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:48:58
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:48:58
Start date:	10/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	19.3%
Signature Coverage:	26.2%
Total number of Nodes:	424
Total number of Limit Nodes:	12

Executed Functions

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000001800015E5
memcpy.NTDLL ref: 0000000180001609
malloc.MSVCRT ref: 0000000180001613
memset.NTDLL ref: 0000000180001648
memset.NTDLL ref: 00000001800016A8
GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
malloc.MSVCRT ref: 00000001800016CD
memset.NTDLL ref: 00000001800016E7
memcpy.NTDLL ref: 00000001800016F5
OpenSCManagerW.ADVAPI32 ref: 0000000180001789
EnumServicesStatusExW.ADVAPI32 ref: 00000001800017D0
malloc.MSVCRT ref: 00000001800017E2
memset.NTDLL ref: 00000001800017FC
EnumServicesStatusExW.ADVAPI32 ref: 0000000180001838
CloseServiceHandle.ADVAPI32 ref: 0000000180001845
free.MSVCRT ref: 000000018000184E
CloseServiceHandle.ADVAPI32 ref: 0000000180001856
lstrcmpiW.KERNEL32 ref: 0000000180001881

Strings

Schedule, xrefs: 0000000180001872

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
String ID: Schedule
API String ID: 3636854120-2739827629
Opcode ID: 70ccbce7ac579554b00e68964982556cd3487ef553e62ff7290f06c43de960f4
Instruction ID: 77915f136d28d9010cc6e861f3bfda285807add5c1f84c5dca0c70953a9b4365
Opcode Fuzzy Hash: 70ccbce7ac579554b00e68964982556cd3487ef553e62ff7290f06c43de960f4
Instruction Fuzzy Hash: A3A1AE36705B8486EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

Function 00007FF63A85ADD0 Relevance: 28.1, APIs: 5, Strings: 2, Instructions: 15804networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63A843200: ResetEvent.KERNEL32(?,?,?,?,00007FF63A8BD30E), ref: 00007FF63A843211

WSAGetLastError.WS2_32 ref: 00007FF63A866D70
WSAGetLastError.WS2_32 ref: 00007FF63A869E82
GetLastError.KERNEL32 ref: 00007FF63A86C58E
SetLastError.KERNEL32 ref: 00007FF63A86C5B0

Strings

,4=H, xrefs: 00007FF63A863CE1
bh5(', xrefs: 00007FF63A85F682

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$EventReset
String ID: bh5('$,4=H
API String ID: 3410914340-298069639
Opcode ID: 8bf2926e3c4078e62d6db7854044052cef78856126e4dd2c86e2c5eb1fe41bbb
Instruction ID: c2f58e9707a85c5b8779a351149ce14ca28ff41ccb03bf7b98e34f3b1c5e425b
Opcode Fuzzy Hash: 8bf2926e3c4078e62d6db7854044052cef78856126e4dd2c86e2c5eb1fe41bbb
Instruction Fuzzy Hash: 8574613A90C6D24BE329DF24E8A55FA77E1EB85301F04517AE689C7B56CE3CA405BF40

Function 00007FF63A87B922 Relevance: 15.5, APIs: 7, Instructions: 5049networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 00007FF63A87C23A
WSAGetLastError.WS2_32 ref: 00007FF63A87C293
connect.WS2_32 ref: 00007FF63A87DD10
GetLastError.KERNEL32 ref: 00007FF63A87DDCA

Part of subcall function 00007FF63A83DAD0: select.WS2_32 ref: 00007FF63A83DCB4

WSAEventSelect.WS2_32 ref: 00007FF63A87EA0C
WSASetLastError.WS2_32 ref: 00007FF63A87F229
WSASetLastError.WS2_32 ref: 00007FF63A880EEC

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$connect$EventSelectselect
String ID:
API String ID: 2159918928-0
Opcode ID: 02f99bb89bd9bec302923d8007e00a99b7d901f9d53df09aa5ed8d383f7659a2
Instruction ID: 9a30343edcc84cac3d853ef85bf262423c3df1189ffde641f5af2b6cc649ed4e
Opcode Fuzzy Hash: 02f99bb89bd9bec302923d8007e00a99b7d901f9d53df09aa5ed8d383f7659a2
Instruction Fuzzy Hash: 69B3837A90C6D24BE328DF24E8A52BB77E5EB85301F04517AE589C7B56CE3CA405BF40

Function 00007FF63A8702E6 Relevance: 12.6, APIs: 3, Instructions: 8149networkmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63A858AB0: StrChrA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,00007FF63A8588E1), ref: 00007FF63A858ADE

WSASetLastError.WS2_32 ref: 00007FF63A871B38
socket.WS2_32 ref: 00007FF63A871F1C
VirtualAlloc.KERNELBASE ref: 00007FF63A87699E

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocErrorLastVirtualsocket
String ID:
API String ID: 2017719348-0
Opcode ID: e88fd56ae137a1c74461e8097582d2c5e2c0598196ac759611b4794dc1e3bd91
Instruction ID: 8f1cb30022d08910aaf1dfab2d42a03fb3daf46a38b974bb224adfc79228e5d5
Opcode Fuzzy Hash: e88fd56ae137a1c74461e8097582d2c5e2c0598196ac759611b4794dc1e3bd91
Instruction Fuzzy Hash: 1B04803AA086D24FE329DF34D8A56FA37E1EB45309F04517AE549CBB56CE3CA505BB00

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000817B
WriteProcessMemory.KERNELBASE ref: 000000018000820C
memset.NTDLL ref: 0000000180008354
memcpy.NTDLL ref: 0000000180008375
NtAlpcConnectPort.NTDLL ref: 00000001800083E7

Strings

Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
0, xrefs: 000000018000828B

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
API String ID: 2322259470-3460289035
Opcode ID: 7606ac36fa39d5fba01efb1612d82c7ec8bc058541244c139688a313f2a7d181
Instruction ID: 0b600ae3a3e83453483b19f834bfc71158cd70f74abece231445517b9c63723b
Opcode Fuzzy Hash: 7606ac36fa39d5fba01efb1612d82c7ec8bc058541244c139688a313f2a7d181
Instruction Fuzzy Hash: 35713DB5324EC891EFA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 0000000180009CB9

Strings

@, xrefs: 0000000180009CA1

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000018000587E
NtQuerySystemInformation.NTDLL ref: 00000001800058CD

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: InformationQuerySystemrealloc
String ID:
API String ID: 4089764311-0
Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700

Function 00007FF63A9F0A20 Relevance: 3.0, Instructions: 2990COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID:
API String ID: 2573137834-0
Opcode ID: 002b99e58013bd091bb3f1efd12dfbcd04e87f10befed7b9ccd1c4f08ecaca4e
Instruction ID: a38856f728f8555991ffcbf7557107269382d76837bda7e6ca02a73c7e4aded1
Opcode Fuzzy Hash: 002b99e58013bd091bb3f1efd12dfbcd04e87f10befed7b9ccd1c4f08ecaca4e
Instruction Fuzzy Hash: DE63F867E1C99109E34ACB3498E013D7EE65FC5346B0983BAE54BE771ADD2CA143BB40

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE ref: 000000018000559C

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704

Function 00007FF63A9EE680 Relevance: .9, Instructions: 933COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0746b3e73b7ebd77920953652783f00b32297ebf0d4588ce81e063e50ea78c0e
Instruction ID: 6285e803379504e019a6fa47b9c0fbb3e33f29116ca282e56b08782927e6d5e6
Opcode Fuzzy Hash: 0746b3e73b7ebd77920953652783f00b32297ebf0d4588ce81e063e50ea78c0e
Instruction Fuzzy Hash: 6BA2C727E1C9D149D35ACB3498E063A7EE66FC5341F0983B6E14AD375ADE2CA143BB40

Function 000002C44C3508D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C44C3509EF

Strings

l.dl, xrefs: 000002C44C350913
ocat, xrefs: 000002C44C35092E
ntdl, xrefs: 000002C44C350909
ateH, xrefs: 000002C44C35097D
lloc, xrefs: 000002C44C350976
eAll, xrefs: 000002C44C350927
l.dl, xrefs: 000002C44C350962
RtlA, xrefs: 000002C44C35096F
eHea, xrefs: 000002C44C350935
RtlR, xrefs: 000002C44C350920
eap, xrefs: 000002C44C350984
ntdl, xrefs: 000002C44C35095B

Memory Dump Source

Source File: 00000000.00000002.1682254319.000002C44C350000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C44C350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c44c350000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: LibraryLoad
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 1029625771-3994871222
Opcode ID: b11f4f2f506f70575e309f4ee35f27514d2eccd09e92f81734cd8165a29d1a1f
Instruction ID: 4a7614ff94ff476e892eddc8376722d8b2a31c36151adf110078cc7b047ab8f6
Opcode Fuzzy Hash: b11f4f2f506f70575e309f4ee35f27514d2eccd09e92f81734cd8165a29d1a1f
Instruction Fuzzy Hash: 60710531604E098FFB68EF58C869BAE73E2FF94310F24011AD80AC7285DB35D942CB95

Function 00007FF63AA12140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF63AA12772,?,?,00000000,00007FF63AA0F985), ref: 00007FF63AA122BC
GetProcAddressForCaller.KERNELBASE(?,?,?,00007FF63AA12772,?,?,00000000,00007FF63AA0F985), ref: 00007FF63AA122C8

Strings

api-ms-, xrefs: 00007FF63AA12206
ext-ms-, xrefs: 00007FF63AA12219

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AddressCallerFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3520295827-537541572
Opcode ID: 2aad29cd30e0b31b49d84af00daefe6c2f6c56548210d022b1ceaf4a48be1a8b
Instruction ID: dc17cf971de90b50960c3df1c92b9c586660ebf49baa7e96bb3c3b902727aaf2
Opcode Fuzzy Hash: 2aad29cd30e0b31b49d84af00daefe6c2f6c56548210d022b1ceaf4a48be1a8b
Instruction Fuzzy Hash: D741D42BB19A5261FA19CB16A80457923D1BF59BE0F494275DD0DC7798DF3CE44AF300

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 000000018000194B
GetModuleFileNameW.KERNEL32 ref: 000000018000195D
wcsstr.NTDLL ref: 000000018000196F
IsUserAnAdmin.SHELL32 ref: 000000018000197A
ExitProcess.KERNEL32 ref: 00000001800019A1

Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800015E5
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 0000000180001609
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 0000000180001613
Part of subcall function 00000001800015B0: memset.NTDLL ref: 0000000180001648
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016A8
Part of subcall function 00000001800015B0: GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800016CD
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016E7
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 00000001800016F5
Part of subcall function 00000001800015B0: OpenSCManagerW.ADVAPI32 ref: 0000000180001789

ExitProcess.KERNEL32 ref: 000000018000198E

Strings

svchost.exe, xrefs: 0000000180001963

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
String ID: svchost.exe
API String ID: 2075570005-3106260013
Opcode ID: 45f69df0e4fed2e44586dca63e0d8318bfe1b258da8823836d84a3e13a2394f6
Instruction ID: 5c56fdee547d7df19f87fbfca49010fe5bdf447972866224b63b2f3b95cb53d0
Opcode Fuzzy Hash: 45f69df0e4fed2e44586dca63e0d8318bfe1b258da8823836d84a3e13a2394f6
Instruction Fuzzy Hash: 9D015631311A4D81FBAADB21E8993DA2360BB8D795F449115A95E46695DF3CC34CC740

Function 00007FF63A83CED0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF63A83CF64
setsockopt.WS2_32 ref: 00007FF63A83CFA1
setsockopt.WS2_32 ref: 00007FF63A83CFFF
setsockopt.WS2_32 ref: 00007FF63A83D03C

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c38cac35fdacff014c4541e6b4e3abd54bb6126dc4ab5a11cef0fb7acfa13688
Instruction ID: 21396600436127486ce57fe2020f350b3440a6add3b4380b19e70641c4ecd772
Opcode Fuzzy Hash: c38cac35fdacff014c4541e6b4e3abd54bb6126dc4ab5a11cef0fb7acfa13688
Instruction Fuzzy Hash: F0513C7BA192428BD650CF58EC8452AB7A0FB84748B1050B6F68AC3B59DF3CE415BF04

Function 000002C44C350224 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 227
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002C44C3502F4
VirtualAlloc.KERNELBASE ref: 000002C44C3503A1

Strings

ntdl, xrefs: 000002C44C350283
l.dl, xrefs: 000002C44C35028A
l, xrefs: 000002C44C350291
RtlAllocateHeap, xrefs: 000002C44C3502BC

Memory Dump Source

Source File: 00000000.00000002.1682254319.000002C44C350000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C44C350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c44c350000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: RtlAllocateHeap$l$l.dl$ntdl
API String ID: 4275171209-1387368096
Opcode ID: b4c4ed2c585202e7720ad32f940b49e1e34a84d2224b2416f6ee24bbd427b5d8
Instruction ID: f50c380ceb695c25b9b8704eb03b6a2257c5cc6855730765613b87ffa6f9c6b8
Opcode Fuzzy Hash: b4c4ed2c585202e7720ad32f940b49e1e34a84d2224b2416f6ee24bbd427b5d8
Instruction Fuzzy Hash: C861A470618E084FE75CEF68D89ABAA77E2FB48300F54415ED44AC3292EF35E9418BD5

Function 00007FF63AA06BFC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63AA06C27
CreateThread.KERNELBASE ref: 00007FF63AA06C68
GetLastError.KERNEL32(?,?,?,?,?,00007FF63A829A68), ref: 00007FF63AA06C76
CloseHandle.KERNEL32(?,?,?,?,?,00007FF63A829A68), ref: 00007FF63AA06C8C
FreeLibrary.KERNEL32(?,?,?,?,?,00007FF63A829A68), ref: 00007FF63AA06C9B

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: bab2295e073a4f6ace4db4130badd438c31a8126a09a57ee1ca7020adb751a51
Instruction ID: e526f6bde380c88bcdf44da40dc33c45bf5b61c5a9f765aaaaec82afaab32623
Opcode Fuzzy Hash: bab2295e073a4f6ace4db4130badd438c31a8126a09a57ee1ca7020adb751a51
Instruction Fuzzy Hash: 5A214F3AA09B4286EF15DF62A410079B3A0EF88B94F084575DE4D83B95DE7CE442B740

Function 00007FF63A83AA80 Relevance: 6.1, APIs: 4, Instructions: 107
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF63A83AB1E
WSASetLastError.WS2_32 ref: 00007FF63A83AB55
freeaddrinfo.WS2_32 ref: 00007FF63A83AC12

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfo
String ID:
API String ID: 1817844550-0
Opcode ID: a6ae1f46db6b9b4b934caf5453b3632453f573c696a1fdf8df20312b1abb7991
Instruction ID: 8ccb7e867f31155852cc71a74fa84d7d89db2f850aecf3bffa5130ac188b6bd6
Opcode Fuzzy Hash: a6ae1f46db6b9b4b934caf5453b3632453f573c696a1fdf8df20312b1abb7991
Instruction Fuzzy Hash: 66510C3AA186858BD754DF19E89076AB3A1FB88744F404075EA8EC3BA5DF7CE415EF00

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000ADC2

Strings

@, xrefs: 000000018000ADAC

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304

Function 00007FF63A83DAD0 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32 ref: 00007FF63A83DCB4

Part of subcall function 00007FF63A83DDE0: GetLastError.KERNEL32(?,?,?,?,00007FF63A83DD82), ref: 00007FF63A83DDE8

__WSAFDIsSet.WS2_32 ref: 00007FF63A83DD9D

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: dc751306dc8cf1236dd36cb09db1014315388741eb5250ea4012c355936f6198
Instruction ID: 782fe6abee43556343e4741b68fee389f25ed8aeab2eedf9d0acdac94be9f6db
Opcode Fuzzy Hash: dc751306dc8cf1236dd36cb09db1014315388741eb5250ea4012c355936f6198
Instruction Fuzzy Hash: F8910A7AA0C6428BD754CF19EC94639B7A1EB84348F102575E6CAC7B98CF3CE855AF04

Function 000002C44C35070D Relevance: 3.1, APIs: 2, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 000002C44C35075D
VirtualProtect.KERNELBASE ref: 000002C44C3507AE

Memory Dump Source

Source File: 00000000.00000002.1682254319.000002C44C350000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C44C350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c44c350000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: cdedc164e2212d0a4b9b92805b186d1fdc5cf97e3c8a32ccb8931b239639c0a2
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: F231D731658A008BEB2CAE0CE881A7A73D1F755304F38019CD9C7C7187EA3AE9438AD5

Function 000002C44C350000 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002C44C350179

Strings

run, xrefs: 000002C44C3501A5

Memory Dump Source

Source File: 00000000.00000002.1682254319.000002C44C350000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C44C350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c44c350000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: run
API String ID: 4275171209-1349952704
Opcode ID: e5dc8825a7370ff9ec57641739cdc0d48f865f2156bb471bdecd58f16db5c67c
Instruction ID: eb5100753ffa11912c0aef7650b8fa8d2ac3e99cc592998c70c3b80294fcab92
Opcode Fuzzy Hash: e5dc8825a7370ff9ec57641739cdc0d48f865f2156bb471bdecd58f16db5c67c
Instruction Fuzzy Hash: 6C11B42031494C4BEB48FFA8C894BED72D6FB9C315F150229A84EC3281CD78D9428795

Function 00007FF63A83CBF0 Relevance: 3.1, APIs: 2, Instructions: 56
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32 ref: 00007FF63A83CCA1
WSAGetLastError.WS2_32 ref: 00007FF63A83CCB7

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorIoctlLast
String ID:
API String ID: 4052769934-0
Opcode ID: ed837b09f12dab1b763b41369a70df7f490d427acf7979e47f9f45fbe10ef913
Instruction ID: 56c75ec0e6f7099f0d014bdedb9e94478386da01b81a1cb39aba6044d94bee7a
Opcode Fuzzy Hash: ed837b09f12dab1b763b41369a70df7f490d427acf7979e47f9f45fbe10ef913
Instruction Fuzzy Hash: 7031A476A086818BE750CF58E88472AB7A0FB88754F504169E6C9C3B58DF7CE459EF00

Function 00007FF63A89E15E Relevance: 1.8, APIs: 1, Instructions: 311networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF63A89E1FC

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: EnumEventsNetwork
String ID:
API String ID: 1334179165-0
Opcode ID: 4ebcac89412e7efc30e7a2640db87857a87e6e34a58adc62e6712ee0787db7c2
Instruction ID: ddd9206fb83efc792a7934e2a7d929bfcf1c7c4545564b05144ad3eed489b9e7
Opcode Fuzzy Hash: 4ebcac89412e7efc30e7a2640db87857a87e6e34a58adc62e6712ee0787db7c2
Instruction Fuzzy Hash: 04E1823A90D5D24BE318DF28E8A55BA7BE1AB85301F0451BAE58DC3B56CE3CE405FB44

Function 00007FF63A845B20 Relevance: 1.6, APIs: 1, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00007FF63A845B0A), ref: 00007FF63A845BD0

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d9a925ab13b5f89ad6467af50c660541581057f2aad2aeabf3dab3806dc53e3c
Instruction ID: 55615de80af3eb0568a9147c123993bf1c6791deb57e3cda06965f59356fd887
Opcode Fuzzy Hash: d9a925ab13b5f89ad6467af50c660541581057f2aad2aeabf3dab3806dc53e3c
Instruction Fuzzy Hash: 98216A27F25B648DF704CBB5AC912BC37B4AB18748F1404A9EE8DA7B59CF3C9461A710

Function 00007FF63AA1189C Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63AA11954: HeapAlloc.KERNEL32(?,?,?,00007FF63AA118B9,?,?,00000000,00007FF63AA06A8B,?,?,?,00007FF63AA104D7,?,?,?,00007FF63AA103CD), ref: 00007FF63AA11992

RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF63AA06A8B,?,?,?,00007FF63AA104D7,?,?,?,00007FF63AA103CD,?,?,00000000,00007FF63AA107AE), ref: 00007FF63AA11909

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: a07a89cb0b122696095850704bbce82ee04866544705d1835cf35ed82e0b98d6
Instruction ID: 44704265435ca92d307767f34d758d4b83f8cf686354e522fa8e57498f77acc6
Opcode Fuzzy Hash: a07a89cb0b122696095850704bbce82ee04866544705d1835cf35ed82e0b98d6
Instruction Fuzzy Hash: D401811FE0C703A0FEA4AB6259402B992D08F547E0F18C6B9E92DC63C2EE2CE4437710

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000AA41

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

RtlAdjustPrivilege.NTDLL ref: 0000000180008E96

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AdjustPrivilege
String ID:
API String ID: 3260937286-0
Opcode ID: 5d6e4b59ff8a6b8225dc495acd6b689647a659c3c95a76a3c66f1975b6b2e2b3
Instruction ID: 006989147f6c0ef173a6ad63e481d54274f3f56e0f4d918a3b7be20be4d5dd86
Opcode Fuzzy Hash: 5d6e4b59ff8a6b8225dc495acd6b689647a659c3c95a76a3c66f1975b6b2e2b3
Instruction Fuzzy Hash: 18F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43B64CE3DC2158B00

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetProcessId.KERNELBASE ref: 0000000180005A81

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000AF9F

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000A932

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000B17E

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

Function 00007FF63A83CA80 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF63A83CACF

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: af89ea1b8ec91a43d788d3702766a00663bf58fa3567b022c96e23f12184821a
Instruction ID: ae263206629e885d13e8a5c2ba2c38cfbcb1366c9e579895f02f9fedfa8bdb7f
Opcode Fuzzy Hash: af89ea1b8ec91a43d788d3702766a00663bf58fa3567b022c96e23f12184821a
Instruction Fuzzy Hash: D8F0F93AB286418BE650DF15E84552AB3A0FBC8748F8061A6F68D87719CF3DE016AF04

Function 00007FF63AA0F958 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63AA0F96C

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2cf6b01025c55fe36bac35e1374138a8c0fdc424bddf6831c527cfc152c669fd
Instruction ID: 98b0d5ff027dae7e6a4f40d95547a916c494b8b5d6e5adbeb0ce26a37db02fe9
Opcode Fuzzy Hash: 2cf6b01025c55fe36bac35e1374138a8c0fdc424bddf6831c527cfc152c669fd
Instruction Fuzzy Hash: 03E01A6BE0D10296FE14EBA488413BD22905F51349F9150B1E509E63C7CE6E6803B721

Function 00007FF63A83CA20 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF63A83CA52

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b0bfba42d1e121afd2aa587a6bf0855246f236eddc80dfa68d8ee748d5dd00b9
Instruction ID: 260fc156134f5811535076656ced86c692557eae0754928fd5952917d47a167a
Opcode Fuzzy Hash: b0bfba42d1e121afd2aa587a6bf0855246f236eddc80dfa68d8ee748d5dd00b9
Instruction Fuzzy Hash: 73E01576A28A808BE650CF15E84512BB3B0FBC8748F809062F69E82718CF3CD016AF00

Function 000002C44C350544 Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,00000000,-00000010,-00000001,00000000,00000000,000002C44C3503CF), ref: 000002C44C3505F5

Memory Dump Source

Source File: 00000000.00000002.1682254319.000002C44C350000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C44C350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c44c350000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 554d3170c60eca2eb45742e049d3fa52307cae005affeb1c7ff9a92fbe018032
Instruction ID: 37fe2a3a1c4bd82a186b72d4e29df732fd80320b2cf561aff8a4f00ec129dad7
Opcode Fuzzy Hash: 554d3170c60eca2eb45742e049d3fa52307cae005affeb1c7ff9a92fbe018032
Instruction Fuzzy Hash: 2631D870618A088FE76CEF69D495B79B3D1FB88351F34052EE18AC3392EA39D8438755

Function 00007FF63AA119B4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF63AA11FBA,?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000), ref: 00007FF63AA11A09

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a86d170df06594815dba4405610f31e691f9023b579b5647a33137061aee6a42
Instruction ID: 31bcd5c3763e6bcc54b92dcec243e26996138e587ce7e5f49d4e57f842e9567c
Opcode Fuzzy Hash: a86d170df06594815dba4405610f31e691f9023b579b5647a33137061aee6a42
Instruction Fuzzy Hash: 0AF0240FF09207A5FE5957A289003B916900F58B80F0C04B9CD0EC63C2FD6CE8837220

Function 00007FF63AA11954 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF63AA118B9,?,?,00000000,00007FF63AA06A8B,?,?,?,00007FF63AA104D7,?,?,?,00007FF63AA103CD), ref: 00007FF63AA11992

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 59a06c0fe47b61a158d5c0987dd7de93d021d18a07cf429da4402c5438593290
Instruction ID: db08a0809b9a47cfdfc617dcb0c332066e697bb54a3f3d9e31f4e9ab50ffafa7
Opcode Fuzzy Hash: 59a06c0fe47b61a158d5c0987dd7de93d021d18a07cf429da4402c5438593290
Instruction Fuzzy Hash: 36F08C1FF0C20BA1FE6566A2584037952824F847B0F0816B8ED3ECA3C2FE2DE4837611

Non-executed Functions

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filesleepmemoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
memcpy.NTDLL ref: 00000001800010EB
memcpy.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
Sleep.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
Sleep.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
Sleep.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
memcpy.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
memcpy.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9
\Microsoft\Windows, xrefs: 000000018000149C

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 1085075972-4137575348
Opcode ID: 8ffd0cab172734a36e43c1cf7f5894ebfd94f3a2633384a290ba864bc3d060c0
Instruction ID: 94de6d573fa0d8927b5bb826392d177512a30fcfd5af4058503230c0fb562cf8
Opcode Fuzzy Hash: 8ffd0cab172734a36e43c1cf7f5894ebfd94f3a2633384a290ba864bc3d060c0
Instruction Fuzzy Hash: EDF17A32701F8985F7A6CF64E8487DD33A4F78DBA8F449215EE9A56694EF38C249C700

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000000180001A3B
CLSIDFromString.OLE32 ref: 0000000180001CFA
IIDFromString.OLE32 ref: 0000000180001D0D
CoCreateInstance.OLE32 ref: 0000000180001D2C

Strings

Y:\:, xrefs: 0000000180001AD8
A::, xrefs: 0000000180001A4F
Y::, xrefs: 0000000180001C46
\:[:, xrefs: 0000000180001B9B
X:[:, xrefs: 0000000180001BAA
\:^:, xrefs: 0000000180001C4D
:Y:, xrefs: 0000000180001C3F
^:G:, xrefs: 0000000180001B44
X:^:, xrefs: 0000000180001AE8
:, xrefs: 0000000180001CA0
:_:, xrefs: 0000000180001AF0

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: b21433bbcfd500ff2e1a040f01b86cf70ebae5ae9220c9be1f718c8c064dbea4
Instruction ID: d33754435be79ee62176bbf206138c07fbdd3e121f941c643f14d68da248290d
Opcode Fuzzy Hash: b21433bbcfd500ff2e1a040f01b86cf70ebae5ae9220c9be1f718c8c064dbea4
Instruction Fuzzy Hash: 2291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.OLE32 ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26
SYSTEM, xrefs: 0000000180001DD9

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: f90c8e403a0b1249590ad1665be699f9ac10e390f971a03fc807c8f653187a63
Instruction ID: e54bcdf9e92cae3ed311456612b02479e66d2eb3af00e5f4fdd7df8a388e748b
Opcode Fuzzy Hash: f90c8e403a0b1249590ad1665be699f9ac10e390f971a03fc807c8f653187a63
Instruction Fuzzy Hash: 6EB1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

Function 0000000180028464 Relevance: 14.7, APIs: 9, Instructions: 1208COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00000001800284AD
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028AB8
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028C7B
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028E82
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029146
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029341
memcpy_s.LIBCPMT ref: 000000018002942F
memcpy_s.LIBCPMT ref: 00000001800294DA
memcpy_s.LIBCPMT ref: 00000001800295A3

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID:
API String ID: 808467561-0
Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00

Function 00007FF63A858C00 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 335networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF63A858D00

Strings

bE|, xrefs: 00007FF63A858E72

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast
String ID: bE|
API String ID: 1452528299-1622097931
Opcode ID: 313a03b3af2a00bfe047cb8b84b9f5c966d05dc480f75a02f31c235431600d44
Instruction ID: 2d6132236d68d9ea414b6aa3b676f864388e886002d5a5989b92f0eca2f6a013
Opcode Fuzzy Hash: 313a03b3af2a00bfe047cb8b84b9f5c966d05dc480f75a02f31c235431600d44
Instruction Fuzzy Hash: A6F16D3AF05645CEE714DBB6D8911BC3BB2AB58748B1004B6EE0EC7755DE38A492FB10

Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON

Download Yara Rule

Strings

NtAlpcSetInformation, xrefs: 0000000180007B33
\RPC Control\, xrefs: 0000000180007729
TpAllocAlpcCompletion, xrefs: 0000000180007A0A
NtAlpcConnectPort, xrefs: 0000000180007C5F
?Vse4", xrefs: 000000018000759B
NtAlpcCreatePort, xrefs: 00000001800078E1
ntdll.dll, xrefs: 000000018000780A

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
API String ID: 0-3440571002
Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700

Function 00007FF63A8549E0 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF63A854AD6
bind.WS2_32 ref: 00007FF63A854B25
WSAGetLastError.WS2_32 ref: 00007FF63A854C15
WSAGetLastError.WS2_32 ref: 00007FF63A854C64
WSAGetLastError.WS2_32 ref: 00007FF63A854BA2

Part of subcall function 00007FF63A854700: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF63A835191), ref: 00007FF63A854727

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$bindsocket
String ID:
API String ID: 2672188334-0
Opcode ID: 4f19865bda3b12aa65bde297c8eeb848f29aeb92f68061c147d016fa6e1a1ed0
Instruction ID: 9a3bb1e732cb0c0712e98b109c6c475fdfed7866c55f64bf9e3d9985573061d1
Opcode Fuzzy Hash: 4f19865bda3b12aa65bde297c8eeb848f29aeb92f68061c147d016fa6e1a1ed0
Instruction Fuzzy Hash: C4812C7AA0964286EB10DF15F84027AB761FF94748F504076EA8EC3B6ADE3CE445FB44

Function 0000000180016D88 Relevance: 7.0, Strings: 5, Instructions: 783COMMON

Download Yara Rule

Strings

__swift_1, xrefs: 0000000180017D10
call, xrefs: 0000000180016FE8
__unaligned, xrefs: 0000000180017A1E
__restrict, xrefs: 0000000180017B37
__swift_2, xrefs: 0000000180017D34

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrow
String ID: __restrict$__swift_1$__swift_2$__unaligned$call
API String ID: 432778473-3141380587
Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700

Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180023BFC

Strings

gfffffff, xrefs: 0000000180023E99

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701

Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

taskmgr.exe, xrefs: 0000000180003F94
C:\windows\system32\, xrefs: 0000000180003F43
WinSta0\Default, xrefs: 000000018000409C
C:\windows\, xrefs: 00000001800040A8

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
API String ID: 0-638001070
Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704

Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

C:\windows\system32\, xrefs: 0000000180003B90
WinSta0\Default, xrefs: 0000000180003C39
C:\windows\, xrefs: 0000000180003C45
winver.exe, xrefs: 0000000180003BE1

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
API String ID: 0-1160837885
Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704

Function 00007FF63A8BDC36 Relevance: 4.9, APIs: 1, Instructions: 3644COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63A8C1511

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c3dd4c0e9385bfd57a55dd02cfd5c7f506640c84b3a23a86f047f0916954dca1
Instruction ID: f161eab85c47a14871370113dd2e6ced5406633ba5b2ab8c1840f85fc5307754
Opcode Fuzzy Hash: c3dd4c0e9385bfd57a55dd02cfd5c7f506640c84b3a23a86f047f0916954dca1
Instruction Fuzzy Hash: 1273917A9086D24FE328DF3498E52FE37E5AB45309F0451BAE549CBB56CE3CA505BB00

Function 0000000180028038 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000018002809E
memcpy_s.LIBCPMT ref: 00000001800280C9

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00

Function 00007FF63A886D54 Relevance: 4.1, Strings: 1, Instructions: 2833COMMON

Download Yara Rule

Strings

YJQ14M, xrefs: 00007FF63A888A7D

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: YJQ14M
API String ID: 0-2177451014
Opcode ID: 0af040db7df14dfe293f60302d2c0759f28008a493c87d53679fe50132aa8295
Instruction ID: 3ed14adad9bfea343fcbcfb72757ee6228b44ad8786c040b64f481ad888f9b3c
Opcode Fuzzy Hash: 0af040db7df14dfe293f60302d2c0759f28008a493c87d53679fe50132aa8295
Instruction Fuzzy Hash: C3539136A086D24FD329DF38DCA52FA37E5AB45309F04517AE649CBB56CE3CA505BB00

Function 00007FF63A83D9D0 Relevance: 3.1, APIs: 2, Instructions: 55networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007FF63A83DA59
WSAGetLastError.WS2_32 ref: 00007FF63A83DA6F

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastRecv
String ID:
API String ID: 904507345-0
Opcode ID: deb7d056b98802d721299dea02c37c7f98589deea631aa3ca4c427b9f49b8a50
Instruction ID: 5c51268f489d967984167efe31b54ac175bc9202bdc655b7045c54123986f0c7
Opcode Fuzzy Hash: deb7d056b98802d721299dea02c37c7f98589deea631aa3ca4c427b9f49b8a50
Instruction Fuzzy Hash: BF214F3AA1C6418BE750CF19E84462A77B0FB88789F101579E68DC7764DF3CE445AF00

Function 000000018001FED8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 00000001800200A7
ko-KR, xrefs: 000000018001FEEC

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$ko-KR
API String ID: 3215553584-2196303776
Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705

Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180003282
p, xrefs: 00000001800032F3

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: 0$p
API String ID: 0-2059906072
Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700

Function 0000000180024EB0 Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024EF9

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304

Function 000000018002C080 Relevance: 1.7, APIs: 1, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018002C2CF

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701

Function 0000000180010F18 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

l section in CAtlBaseModule, xrefs: 0000000180010FB7

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrow
String ID: l section in CAtlBaseModule
API String ID: 432778473-2709337986
Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700

Function 00000001800180EE Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

__restrict, xrefs: 00000001800183C3

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: __restrict
API String ID: 0-803856930
Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340

Function 00007FF63A828CF2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF63A828D54

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7b0ed490353ac5753f53b679cf1d633e8f55c468c51ae4daf13fe6cf5aa634ea
Instruction ID: 732050b1d2a1f8be63cebae4dd58888cc8e2297d8cbf8c9517ebdc5a73b95165
Opcode Fuzzy Hash: 7b0ed490353ac5753f53b679cf1d633e8f55c468c51ae4daf13fe6cf5aa634ea
Instruction Fuzzy Hash: 35111C36A1C6018BD764CF19E89152AB7B1FB88748F505076F69EC3769CE3CE401AF44

Function 00007FF63AA0F09C Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF63AA0F0B0

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 2e6cf9f0f265987901d8c94c949428919c05d11ac58600d38c9db5a5ae17beab
Instruction ID: b4c6c11791adae061f0f821324ea7b15046e1cc9d1695e8509bf14a31ca16d38
Opcode Fuzzy Hash: 2e6cf9f0f265987901d8c94c949428919c05d11ac58600d38c9db5a5ae17beab
Instruction Fuzzy Hash: 79F0E2EAB2968843EE14C725D8103A852819F6CBF4F00A331EE3D4EBDAEE1CE0519300

Function 00007FF63AA0DE04 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF63AA0DFE6

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aafb5cdcbcfdbea6ff1b2b0da23af50879320a08883d54d7ebcfe894ebd0289d
Instruction ID: c745d7ff7b1f0a75ae5c573a0f0e0c2e04a98bf62a11adacdef2d0baed7025bd
Opcode Fuzzy Hash: aafb5cdcbcfdbea6ff1b2b0da23af50879320a08883d54d7ebcfe894ebd0289d
Instruction Fuzzy Hash: 82B18D7B908B8586E7A4CF39C45023D3BA0EB59B48F2442B6CA4E87395CF3AD452F701

Function 000000018001FC0C Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 000000018001FDDB

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745

Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

201ef99a-7fa0-444c-9399-19ba84f12a1a, xrefs: 0000000180002DAE

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
API String ID: 0-3963691810
Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300

Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

ncalrpc, xrefs: 00000001800025DE

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: ncalrpc
API String ID: 0-2983622238
Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700

Function 00007FF63A8C494C Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d2a2c5cf828a8c708c3c6e26cc7a7284321eea6bb625a0dda2739eaddb4e08
Instruction ID: 5a26b21fd7bf5d12088173a8934af97bd8cbdf1395e93af40d36f716c6ee5359
Opcode Fuzzy Hash: 84d2a2c5cf828a8c708c3c6e26cc7a7284321eea6bb625a0dda2739eaddb4e08
Instruction Fuzzy Hash: F692643690C6D28BE318DF28E4956BAB7E1EB85301F04517AE689C7B56CE3CE405BF00

Function 00007FF63A9EF9A0 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eea02c496926168e0f2016d62dcd4b3212950ef3c49fc117d334fa2024440a6
Instruction ID: d0a3ec819b78b2918788dc213945643c6970b4b6e6736c08cf26c1a16b99101c
Opcode Fuzzy Hash: 2eea02c496926168e0f2016d62dcd4b3212950ef3c49fc117d334fa2024440a6
Instruction Fuzzy Hash: AD82A86791C9D145D356CB34A8E023A7FE56FC5341F0983BAE18AD771AEE2CA143BB40

Function 0000000180014848 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354

Function 000000018000DEE8 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700

Function 0000000180029E8C Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700

Function 00000001800151E8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00

Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30536b62a6d0da437fd114397cfbd3f50a9eae59392f0b1b67c723097f145a58
Instruction ID: 24312ee17ac27d640e5902fdf911b4c821bd108a67df2382ab98bc71ef406521
Opcode Fuzzy Hash: 30536b62a6d0da437fd114397cfbd3f50a9eae59392f0b1b67c723097f145a58
Instruction Fuzzy Hash: C8410672B10A5886EB14CB64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700

Function 000000018000469C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304

Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700

Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300

Function 0000000180021F44 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300

Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219bf7831b4ff29649a0959f5cba49ff1e968e7e299094c0451f4ae6976958c1
Instruction ID: 6cb90250f36c561b05bdbfb3a32d9520807f84a022e52005c3b8c35e7831f1c3
Opcode Fuzzy Hash: 219bf7831b4ff29649a0959f5cba49ff1e968e7e299094c0451f4ae6976958c1
Instruction Fuzzy Hash: B54103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A18DF38C246C300

Function 000000018001AA6C Relevance: .1, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00

Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740

Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340

Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740

Function 000000018000BEB0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700

Function 000000018000B620 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700

Function 000000018000C370 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341

Function 000000018000435B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740

Function 000000018000947B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304

Function 0000000180004153 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304

Function 000000018000B280 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304

Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700

Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300

Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700

Function 0000000180003833 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300

Function 0000000180002666 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300

Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ba3d73c2f5686b073e58bf77ac5fca37af1a7b10adc11c162e07aac671ca2c
Instruction ID: fb4b37c46674135c9bcda74d3568f44faa2863dc5090cce6e90fb90ae548c0e0
Opcode Fuzzy Hash: f0ba3d73c2f5686b073e58bf77ac5fca37af1a7b10adc11c162e07aac671ca2c
Instruction Fuzzy Hash: 01118EA271498C46FB96DBB4F969BD76322EB4C3A9F80B012DD0D07A55DD3CC24AC700

Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300

Function 0000000180003717 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700

Function 000000018000290C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700

Function 0000000180002170 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300

Function 000000018000360B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700

Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744

Function 0000000180002777 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304

Function 000000018000225E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300

Function 000000018000284D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340

Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340

Function 0000000180003530 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700

Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300

Function 0000000180003464 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700

Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304

Function 0000000180003880 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300

Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300

Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304

Function 000000018002BBA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04

Function 00007FF63AA00B10 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63AA00B40
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63AA00B62
GetModuleHandleW.KERNEL32 ref: 00007FF63AA00B6F
GetModuleHandleW.KERNEL32 ref: 00007FF63AA00B84
GetProcAddress.KERNEL32 ref: 00007FF63AA00B9C
GetProcAddress.KERNEL32 ref: 00007FF63AA00BAF
CreateEventW.KERNEL32 ref: 00007FF63AA00BDB
DeleteCriticalSection.KERNEL32 ref: 00007FF63AA00C27
CloseHandle.KERNEL32 ref: 00007FF63AA00C39

Strings

kernel32.dll, xrefs: 00007FF63AA00B7D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF63AA00B68
SleepConditionVariableCS, xrefs: 00007FF63AA00B92
WakeAllConditionVariable, xrefs: 00007FF63AA00BA2

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseConcurrency::cancel_current_taskCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3155888939-3242537097
Opcode ID: 456cf0828f244fa9f043f2ede57b6f3d5d42998ea54c165d75fd4badeee2050d
Instruction ID: f45c82c3cf05bd9411ee428b184992a83db84aca43b38369ab4b3b1726be0204
Opcode Fuzzy Hash: 456cf0828f244fa9f043f2ede57b6f3d5d42998ea54c165d75fd4badeee2050d
Instruction Fuzzy Hash: CB31AF2FE0E60791FE55EB21A8911B82390AF49754F5805B5C95EC27E6EF2CE497F300

Function 00007FF63AA11DE0 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63AA11DEF
FlsGetValue.KERNEL32 ref: 00007FF63AA11E04
FlsSetValue.KERNEL32 ref: 00007FF63AA11E25
FlsSetValue.KERNEL32 ref: 00007FF63AA11E52
FlsSetValue.KERNEL32 ref: 00007FF63AA11E63
FlsSetValue.KERNEL32 ref: 00007FF63AA11E74
SetLastError.KERNEL32 ref: 00007FF63AA11E8F
FlsGetValue.KERNEL32 ref: 00007FF63AA11EC5
FlsSetValue.KERNEL32 ref: 00007FF63AA11EE4

Part of subcall function 00007FF63AA119B4: HeapAlloc.KERNEL32(?,?,00000000,00007FF63AA11FBA,?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000), ref: 00007FF63AA11A09

FlsSetValue.KERNEL32 ref: 00007FF63AA11F0C

Part of subcall function 00007FF63AA11918: HeapFree.KERNEL32(?,?,?,00007FF63AA18722,?,?,?,00007FF63AA1875F,?,?,00000000,00007FF63AA18C25,?,?,?,00007FF63AA18B57), ref: 00007FF63AA1192E
Part of subcall function 00007FF63AA11918: GetLastError.KERNEL32(?,?,?,00007FF63AA18722,?,?,?,00007FF63AA1875F,?,?,00000000,00007FF63AA18C25,?,?,?,00007FF63AA18B57), ref: 00007FF63AA11938

FlsSetValue.KERNEL32 ref: 00007FF63AA11F1D
FlsSetValue.KERNEL32 ref: 00007FF63AA11F2E

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: f54a537a96ed41447b78bf41fbc5987a757caf62bd4ec07670b16ced26e7dbf1
Instruction ID: 4c9577ffe488af62fc15fc3f23ee083df6bd9995864cf01834d6a7c5105cf8ab
Opcode Fuzzy Hash: f54a537a96ed41447b78bf41fbc5987a757caf62bd4ec07670b16ced26e7dbf1
Instruction Fuzzy Hash: F8418B2EF0C20261FA6CAB76955657951829F847B4F0457B8E93ECA7C7EF2CB443B240

Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000018001A7F7

Part of subcall function 0000000180019CF8: __vcrt_initialize.LIBVCRUNTIME ref: 0000000180019D1A

__scrt_release_startup_lock.LIBCMT ref: 000000018001A87A
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A890
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A8BC
__scrt_get_show_window_mode.LIBCMT ref: 000000018001A8CD
__scrt_is_managed_app.LIBCMT ref: 000000018001A8F0
__scrt_uninitialize_crt.LIBCMT ref: 000000018001A907
__scrt_fastfail.LIBCMT ref: 000000018001A939
__scrt_fastfail.LIBCMT ref: 000000018001A944
__security_init_cookie.LIBCMT ref: 000000018001A960

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
String ID:
API String ID: 1326835672-0
Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350

Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 000000018001A062
__scrt_fastfail.LIBCMT ref: 000000018001A0B1
__scrt_fastfail.LIBCMT ref: 000000018001A0BC
__scrt_fastfail.LIBCMT ref: 000000018001A0C7

Strings

onstructor closure', xrefs: 0000000180019FF4
`udt returning', xrefs: 0000000180019FCC
`eh vector vbase constructor iterator', xrefs: 0000000180019F9C
`local vftable', xrefs: 0000000180019FE0

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
API String ID: 2273495996-2419032777
Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304

Function 00007FF63A83AD20 Relevance: 9.2, APIs: 6, Instructions: 234networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF63A83AE38
WSASetLastError.WS2_32 ref: 00007FF63A83AEC3
getaddrinfo.WS2_32 ref: 00007FF63A83B03A
WSASetLastError.WS2_32 ref: 00007FF63A83B068

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$getaddrinfo
String ID:
API String ID: 1863150271-0
Opcode ID: 3ab7f3789c69d25759ce1e405d840cee4a9b37aad97f97ef63cdf665af4b50e3
Instruction ID: 545d9f7bfe54ea0cfbb609cb49ffc59526ca60577e558afeeb5ed3a06b599543
Opcode Fuzzy Hash: 3ab7f3789c69d25759ce1e405d840cee4a9b37aad97f97ef63cdf665af4b50e3
Instruction Fuzzy Hash: BCD1F97AA046C28EE764CF68DC957FC33A0EB05308F104176DA8ADBB99DE38A545F750

Function 00007FF63AA11F58 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA11F67
FlsSetValue.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA11F9D
FlsSetValue.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA11FCA
FlsSetValue.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA11FDB
FlsSetValue.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA11FEC
SetLastError.KERNEL32(?,?,0000AB33D6134830,00007FF63AA06DC1,?,?,?,?,00007FF63AA118D2,?,?,00000000,00007FF63AA06A8B,?,?,?), ref: 00007FF63AA12007

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: e949273b2c3ea89ca499fa59f06e19895faa38472840ef02cd909f44e0e6d6b5
Instruction ID: 262700523e9251b850b684e31714bcfc174c6027b5af03f9f4ba045d6852b806
Opcode Fuzzy Hash: e949273b2c3ea89ca499fa59f06e19895faa38472840ef02cd909f44e0e6d6b5
Instruction Fuzzy Hash: E1115E2AF0C64262FA58A735955507951529F887B0F0457B9E93E8A7C6EF2CE443B240

Function 00007FF63A843020 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02607e3ea6a6cbde8c449cd7ea7a6c92e19837db6bf69292a951a97f045f3720
Instruction ID: 8d07993580eb316db12cacc2ad889aa3ae3eb761326deed1bfbfd3a2dc7918dd
Opcode Fuzzy Hash: 02607e3ea6a6cbde8c449cd7ea7a6c92e19837db6bf69292a951a97f045f3720
Instruction Fuzzy Hash: 8D512C3AE0964186D760DB19E84032DB7E0FB89B94F500176EA8DC7B65DF3DD945EB00

Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018002B9D0
_set_statfp.LIBCMT ref: 000000018002B9EB
_set_statfp.LIBCMT ref: 000000018002BA07
_set_statfp.LIBCMT ref: 000000018002BA43

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302

Function 00007FF63AA12020 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF63AA06E87,?,?,00000000,00007FF63AA07122,?,?,?,?,?,00007FF63AA070AE), ref: 00007FF63AA1203F
FlsSetValue.KERNEL32(?,?,?,00007FF63AA06E87,?,?,00000000,00007FF63AA07122,?,?,?,?,?,00007FF63AA070AE), ref: 00007FF63AA1205E
FlsSetValue.KERNEL32(?,?,?,00007FF63AA06E87,?,?,00000000,00007FF63AA07122,?,?,?,?,?,00007FF63AA070AE), ref: 00007FF63AA12086
FlsSetValue.KERNEL32(?,?,?,00007FF63AA06E87,?,?,00000000,00007FF63AA07122,?,?,?,?,?,00007FF63AA070AE), ref: 00007FF63AA12097
FlsSetValue.KERNEL32(?,?,?,00007FF63AA06E87,?,?,00000000,00007FF63AA07122,?,?,?,?,?,00007FF63AA070AE), ref: 00007FF63AA120A8

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 508e6e9c78b503bd6e6858421807a47fabaaeab8f9327a6f5af0b34ee76a4e74
Instruction ID: b2b937397c3d0b59c2c747940914341afc0a8a281b0995e1719e8c5c08baf456
Opcode Fuzzy Hash: 508e6e9c78b503bd6e6858421807a47fabaaeab8f9327a6f5af0b34ee76a4e74
Instruction Fuzzy Hash: B2115E2AF0C64261FA9C9B36955117AA1519F843F0F0457B4E93ECA7D6EE2CE847B200

Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018001F698
_invalid_parameter_noinfo.LIBCMT ref: 000000018001F8D2

Strings

ko-KR, xrefs: 000000018001F6B7
*, xrefs: 000000018001F7A5

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *$ko-KR
API String ID: 3215553584-1095117856
Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750

Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

__swift_1, xrefs: 0000000180017D10
__swift_2, xrefs: 0000000180017D34

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: __swift_1$__swift_2
API String ID: 0-2914474356
Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340

Function 00007FF63A829F5A Relevance: 6.1, APIs: 4, Instructions: 86threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63A842B20: GetCurrentThread.KERNEL32 ref: 00007FF63A842B5D

SetEvent.KERNEL32 ref: 00007FF63A829FCF
GetQueuedCompletionStatus.KERNEL32 ref: 00007FF63A829FF8
GetCurrentThreadId.KERNEL32 ref: 00007FF63A82A088
SetEvent.KERNEL32 ref: 00007FF63A82A09B

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: CurrentEventThread$CompletionQueuedStatus
String ID:
API String ID: 4264545264-0
Opcode ID: 1b28333e9a064f05924e3232a690e3fe8b8fb33e4e0023a33cbc503318eeb41a
Instruction ID: db36a01fbf330bd4f8b63ba9ac1a0e58735f2ca7652e446d4af2f89aab2b64fc
Opcode Fuzzy Hash: 1b28333e9a064f05924e3232a690e3fe8b8fb33e4e0023a33cbc503318eeb41a
Instruction Fuzzy Hash: 5841F73AE08A46DEEB10DF65D8502BC3770AB48758F100176DE1ED77A9DE38D445E700

Function 00007FF63A828F78 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

izS, xrefs: 00007FF63A828FE7

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: izS
API String ID: 0-2683680911
Opcode ID: d21331b86481145414d3d1cfdf5b5b21ff80e7c9c5733e4e61133430bfb5b53e
Instruction ID: b68dc50ac5b9bda971b7cb2adfa468a4a3bc1ff2c621cd421741ca7f6ab28ccc
Opcode Fuzzy Hash: d21331b86481145414d3d1cfdf5b5b21ff80e7c9c5733e4e61133430bfb5b53e
Instruction Fuzzy Hash: 62F1F97AE095028FE754CF68D8906BC37A0FB44348B10447AE65ED7799DF38E896EB40

Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024027

Strings

gfff, xrefs: 0000000180024149
o-l1-2-1, xrefs: 00000001800240CC

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfff$o-l1-2-1
API String ID: 3215553584-1082851355
Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700

Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018002459E

Strings

synch-l1-2-0, xrefs: 00000001800244A4
api-ms-win-core-sysinfo-l1-2-1, xrefs: 00000001800244D1

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
API String ID: 3215553584-688204690
Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340

Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001C478: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000018001C47C

__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D66E
__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D6F8

Strings

csm, xrefs: 000000018001D6CB

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01

Function 00007FF63AA02F54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63AA016C3), ref: 00007FF63AA02F98
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63AA016C3), ref: 00007FF63AA02FDE

Strings

csm, xrefs: 00007FF63AA02FCB

Memory Dump Source

Source File: 00000000.00000002.1687846460.00007FF63A821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63A820000, based on PE: true

Associated: 00000000.00000002.1687810796.00007FF63A820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688096510.00007FF63AA1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688135047.00007FF63AA39000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688172175.00007FF63AA50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688228946.00007FF63AA53000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63a820000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: c69def4a9b69ec68cdadcbf7e6dc0b15355863e04cf7ca90672bcfc62912cc36
Instruction ID: 7ae7bffd96e33fc05cd03e21e9b737bda3e4a8f9f456e0076dbadc6be4e3b7e0
Opcode Fuzzy Hash: c69def4a9b69ec68cdadcbf7e6dc0b15355863e04cf7ca90672bcfc62912cc36
Instruction Fuzzy Hash: 2E118F37608B8182EB158F25E400269B7E1FB88B98F184275EF8D47B58DF3CC566DB00

Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000018001A99B

Strings

nt delete closure', xrefs: 000000018001A9A0
`vector destructor iterator', xrefs: 000000018001A980

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __std_exception_copy
String ID: `vector destructor iterator'$nt delete closure'
API String ID: 592178966-1611991873
Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301

Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000018001AA55
_CxxThrowException.LIBVCRUNTIME ref: 000000018001AA66

Strings

File, xrefs: 000000018001AA5A

Memory Dump Source

Source File: 00000000.00000002.1681341231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1681121772.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681676774.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681702262.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1681724362.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: File
API String ID: 932687459-749574446
Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2024-12-10#U67e5#U9605_uninst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

C:\Program Files\Windows Mail\arphaDump64.bin

C:\Program Files\Windows Mail\arphaDump64.dll

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
2024-12-10#U67e5#U9605_uninst.exe

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Function 000002C44C3508D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Function 00007FF63AA12140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
COMMON

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Function 00007FF63A83CED0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Function 000002C44C350224 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 227
memoryCOMMON

Function 00007FF63AA06BFC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Function 00007FF63A83AA80 Relevance: 6.1, APIs: 4, Instructions: 107
networkCOMMON

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Function 00007FF63A83DAD0 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 000002C44C35070D Relevance: 3.1, APIs: 2, Instructions: 108
memoryCOMMON

Function 000002C44C350000 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 80
memoryCOMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre