Edit tour

Windows Analysis Report
2024-12-10#U67e5#U9605_uninst.exe

Overview

General Information

Sample name:	2024-12-10#U67e5#U9605_uninst.exe renamed because original name is a hash value
Original sample name:	2024-12-10_uninst.exe
Analysis ID:	1572748
MD5:	0aa972dc4d2fe4c5f9a7a9d26ea3f51f
SHA1:	2e141f8072836b479572b1d7fa468727011601eb
SHA256:	bb1d91e8f93a1b08b098969e48a12d2f2b8203a30de0c3d85ec8cd36a3fa8049
Tags:	exeSilverFoxuser-NDA0E
Infos:

Detection

ValleyRAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Yara detected ValleyRAT

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Deletes itself after installation

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain checking for user administrative privileges

Hijacks the control flow in another process

Modifies the context of a thread in another process (thread injection)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to create new users

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

2024-12-10#U67e5#U9605_uninst.exe (PID: 5044 cmdline: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe" MD5: 0AA972DC4D2FE4C5F9A7A9D26EA3F51F)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5164 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 4364 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

arphaCrashReport64.exe (PID: 2740 cmdline: "C:\Program Files\Windows Mail\arphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)

svchost.exe (PID: 6464 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 5196 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: svchost.exe PID: 1064	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe", ParentImage: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe, ParentProcessId: 5044, ParentProcessName: 2024-12-10#U67e5#U9605_uninst.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1064, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe", ParentImage: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe, ParentProcessId: 5044, ParentProcessName: 2024-12-10#U67e5#U9605_uninst.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1064, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000005.00000002.2164041872.0000000180039000.00000002.00000001.01000000.00000005.sdmp, arphaDump64.dll.2.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000005.00000002.2172528768.00007FF6DD4A2000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe, 00000005.00000000.2156482490.00007FF6DD4A2000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe.2.dr

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2706810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	2_2_00000200A2706810
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B86810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	2_2_00000200A2B86810
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	3_2_0000000180026810
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	4_2_0000000180026810

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_00000200A26FE210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A26FC850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FCCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A26FCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FDDD0 malloc,memset,FindFirstFileW,free,	2_2_00000200A26FDDD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B7CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7DDD0 malloc,memset,FindFirstFileW,free,	2_2_00000200A2B7DDD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_00000200A2B7E210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B7C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	3_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	4_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	4_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2709300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

2_2_00000200A2709300

Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 43.154.172.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9A2D9D0 WSARecv,WSAGetLastError,

0_2_00007FF7D9A2D9D0

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: arphaCrashReport64.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2706200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,

2_2_00000200A2706200

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2706200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_00000200A2706200
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F99F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_00000200A26F99F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00000200A26F97D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00000200A270F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B86200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_00000200A2B86200
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00000200A2B8F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B799F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	2_2_00000200A2B799F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B797D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_00000200A2B797D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000000018002F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_0000000180026200
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00000001800197D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_00000001800199F0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_000000018002F1B0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	4_2_0000000180026200
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_00000001800197D0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	4_2_00000001800199F0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26FAC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,

2_2_00000200A26FAC60

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26FA410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

2_2_00000200A26FA410

Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146340194.000001BCF03BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_5acba35a-4

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,	0_2_00000001800080F2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,	0_2_0000000180005824
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F2830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	2_2_00000200A26F2830
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F1C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_00000200A26F1C70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F1AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_00000200A26F1AE0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B71C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_00000200A2B71C70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B71AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	2_2_00000200A2B71AE0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B72830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	2_2_00000200A2B72830
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_0000000180011AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_0000000180011C70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	3_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	4_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	4_2_0000000180011AE0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	4_2_0000000180011C70

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A27005A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,

2_2_00000200A27005A0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A270D2A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

2_2_00000200A270D2A0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A27001A0 GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,

2_2_00000200A27001A0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BE0A20	0_2_00007FF7D9BE0A20
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A6B922	0_2_00007FF7D9A6B922
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A4ADD0	0_2_00007FF7D9A4ADD0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A602E6	0_2_00007FF7D9A602E6
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BDE680	0_2_00007FF7D9BDE680
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BDF9A0	0_2_00007FF7D9BDF9A0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB494C	0_2_00007FF7D9AB494C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A97926	0_2_00007FF7D9A97926
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AADC36	0_2_00007FF7D9AADC36
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AABE7A	0_2_00007FF7D9AABE7A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BFDE04	0_2_00007FF7D9BFDE04
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A76D54	0_2_00007FF7D9A76D54
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BFBD78	0_2_00007FF7D9BFBD78
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A9C430	0_2_00007FF7D9A9C430
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9C00420	0_2_00007FF7D9C00420
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AAD3CC	0_2_00007FF7D9AAD3CC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB76F7	0_2_00007FF7D9AB76F7
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AAA5E2	0_2_00007FF7D9AAA5E2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB187C	0_2_00007FF7D9AB187C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800080F2	0_2_00000001800080F2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800054D5	0_2_00000001800054D5
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800015B0	0_2_00000001800015B0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180009BC0	0_2_0000000180009BC0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001010	0_2_0000000180001010
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180028038	0_2_0000000180028038
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018002C080	0_2_000000018002C080
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800180EE	0_2_00000001800180EE
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180004153	0_2_0000000180004153
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002170	0_2_0000000180002170
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B1AC	0_2_000000018000B1AC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800151E8	0_2_00000001800151E8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000225E	0_2_000000018000225E
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B280	0_2_000000018000B280
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C2D0	0_2_000000018000C2D0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000435B	0_2_000000018000435B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C370	0_2_000000018000C370
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800033B8	0_2_00000001800033B8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180028464	0_2_0000000180028464
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003464	0_2_0000000180003464
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000947B	0_2_000000018000947B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800044C1	0_2_00000001800044C1
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002526	0_2_0000000180002526
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003530	0_2_0000000180003530
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180007550	0_2_0000000180007550
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800045A9	0_2_00000001800045A9
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000360B	0_2_000000018000360B
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B620	0_2_000000018000B620
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002666	0_2_0000000180002666
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000469C	0_2_000000018000469C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000B6C0	0_2_000000018000B6C0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800096E0	0_2_00000001800096E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000C6F0	0_2_000000018000C6F0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003717	0_2_0000000180003717
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002777	0_2_0000000180002777
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003833	0_2_0000000180003833
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180014848	0_2_0000000180014848
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000284D	0_2_000000018000284D
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003880	0_2_0000000180003880
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000290C	0_2_000000018000290C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001800069E0	0_2_00000001800069E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002A06	0_2_0000000180002A06
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001A10	0_2_0000000180001A10
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002A19	0_2_0000000180002A19
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001AA6C	0_2_000000018001AA6C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180006AB0	0_2_0000000180006AB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003AE0	0_2_0000000180003AE0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180023B98	0_2_0000000180023B98
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001FC0C	0_2_000000018001FC0C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002C8A	0_2_0000000180002C8A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180004CB0	0_2_0000000180004CB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003CF2	0_2_0000000180003CF2
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180001D60	0_2_0000000180001D60
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180016D88	0_2_0000000180016D88
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180003DBC	0_2_0000000180003DBC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180002E24	0_2_0000000180002E24
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180005E58	0_2_0000000180005E58
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180029E8C	0_2_0000000180029E8C
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180024EB0	0_2_0000000180024EB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000BEB0	0_2_000000018000BEB0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180008EC0	0_2_0000000180008EC0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018001FED8	0_2_000000018001FED8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_000000018000DEE8	0_2_000000018000DEE8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180010F18	0_2_0000000180010F18
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180021F44	0_2_0000000180021F44
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_0000000180006F70	0_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001010	2_2_0000000180001010
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001A10	2_2_0000000180001A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180001D60	2_2_0000000180001D60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003833	2_2_0000000180003833
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180028038	2_2_0000000180028038
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180014848	2_2_0000000180014848
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000284D	2_2_000000018000284D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018002C080	2_2_000000018002C080
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003880	2_2_0000000180003880
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800180EE	2_2_00000001800180EE
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800080F2	2_2_00000001800080F2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000290C	2_2_000000018000290C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180004153	2_2_0000000180004153
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002170	2_2_0000000180002170
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000B1AC	2_2_000000018000B1AC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800069E0	2_2_00000001800069E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800151E8	2_2_00000001800151E8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002A06	2_2_0000000180002A06
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002A19	2_2_0000000180002A19
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003220	2_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000225E	2_2_000000018000225E
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001AA6C	2_2_000000018001AA6C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000B280	2_2_000000018000B280
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006AB0	2_2_0000000180006AB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000C2D0	2_2_000000018000C2D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003AE0	2_2_0000000180003AE0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003220	2_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000435B	2_2_000000018000435B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000C370	2_2_000000018000C370
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180023B98	2_2_0000000180023B98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800033B8	2_2_00000001800033B8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180009BC0	2_2_0000000180009BC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001FC0C	2_2_000000018001FC0C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180028464	2_2_0000000180028464
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003464	2_2_0000000180003464
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000947B	2_2_000000018000947B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002C8A	2_2_0000000180002C8A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180004CB0	2_2_0000000180004CB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800044C1	2_2_00000001800044C1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800054D5	2_2_00000001800054D5
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003CF2	2_2_0000000180003CF2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002526	2_2_0000000180002526
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003530	2_2_0000000180003530
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180007550	2_2_0000000180007550
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180016D88	2_2_0000000180016D88
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800045A9	2_2_00000001800045A9
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800015B0	2_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003DBC	2_2_0000000180003DBC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000360B	2_2_000000018000360B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000B620	2_2_000000018000B620
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002E24	2_2_0000000180002E24
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180005E58	2_2_0000000180005E58
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002666	2_2_0000000180002666
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180029E8C	2_2_0000000180029E8C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000469C	2_2_000000018000469C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180024EB0	2_2_0000000180024EB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000BEB0	2_2_000000018000BEB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000B6C0	2_2_000000018000B6C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180008EC0	2_2_0000000180008EC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018001FED8	2_2_000000018001FED8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001800096E0	2_2_00000001800096E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000DEE8	2_2_000000018000DEE8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000000018000C6F0	2_2_000000018000C6F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180003717	2_2_0000000180003717
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180010F18	2_2_0000000180010F18
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180021F44	2_2_0000000180021F44
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180006F70	2_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0000000180002777	2_2_0000000180002777
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FF9E0	2_2_00000200A26FF9E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2700680	2_2_00000200A2700680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2703464	2_2_00000200A2703464
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E3470	2_2_00000200A26E3470
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FD420	2_2_00000200A26FD420
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A272C410	2_2_00000200A272C410
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F4410	2_2_00000200A26F4410
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27134F0	2_2_00000200A27134F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E54E0	2_2_00000200A26E54E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27024E0	2_2_00000200A27024E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27044B0	2_2_00000200A27044B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E656A	2_2_00000200A26E656A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FE550	2_2_00000200A26FE550
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2706530	2_2_00000200A2706530
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EF5E0	2_2_00000200A26EF5E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EC5F0	2_2_00000200A26EC5F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E75D2	2_2_00000200A26E75D2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FB5A0	2_2_00000200A26FB5A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2705590	2_2_00000200A2705590
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E9588	2_2_00000200A26E9588
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2711270	2_2_00000200A2711270
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E1264	2_2_00000200A26E1264
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E227C	2_2_00000200A26E227C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F8230	2_2_00000200A26F8230
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E62E6	2_2_00000200A26E62E6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27442E0	2_2_00000200A27442E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E62F9	2_2_00000200A26E62F9
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26ED2F0	2_2_00000200A26ED2F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270B2D0	2_2_00000200A270B2D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2707290	2_2_00000200A2707290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2705340	2_2_00000200A2705340
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2742327	2_2_00000200A2742327
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E3300	2_2_00000200A26E3300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2709300	2_2_00000200A2709300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E83E0	2_2_00000200A26E83E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E13F7	2_2_00000200A26E13F7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E73C0	2_2_00000200A26E73C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F73D0	2_2_00000200A26F73D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A273B380	2_2_00000200A273B380
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2707870	2_2_00000200A2707870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FC850	2_2_00000200A26FC850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EB822	2_2_00000200A26EB822
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2710810	2_2_00000200A2710810
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EE8DC	2_2_00000200A26EE8DC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F38D0	2_2_00000200A26F38D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A271A8BC	2_2_00000200A271A8BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270F890	2_2_00000200A270F890
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2708880	2_2_00000200A2708880
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E2971	2_2_00000200A26E2971
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2704930	2_2_00000200A2704930
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F99F0	2_2_00000200A26F99F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EE9B0	2_2_00000200A26EE9B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2736670	2_2_00000200A2736670
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2712660	2_2_00000200A2712660
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A271664B	2_2_00000200A271664B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E1630	2_2_00000200A26E1630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F6630	2_2_00000200A26F6630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F76E0	2_2_00000200A26F76E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27286E0	2_2_00000200A27286E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EA6A0	2_2_00000200A26EA6A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E769C	2_2_00000200A26E769C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E176F	2_2_00000200A26E176F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2743770	2_2_00000200A2743770
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2713760	2_2_00000200A2713760
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FF710	2_2_00000200A26FF710
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6704	2_2_00000200A26E6704
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2704700	2_2_00000200A2704700
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E271A	2_2_00000200A26E271A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270A7F0	2_2_00000200A270A7F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27057C0	2_2_00000200A27057C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27167B8	2_2_00000200A27167B8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2732790	2_2_00000200A2732790
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F8780	2_2_00000200A26F8780
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2745C60	2_2_00000200A2745C60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC54	2_2_00000200A270FC54
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC5D	2_2_00000200A270FC5D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC42	2_2_00000200A270FC42
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC4B	2_2_00000200A270FC4B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC30	2_2_00000200A270FC30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC39	2_2_00000200A270FC39
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6B00	2_2_00000200A26E6B00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2710C20	2_2_00000200A2710C20
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7C3B	2_2_00000200A26E7C3B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270FC27	2_2_00000200A270FC27
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E8C05	2_2_00000200A26E8C05
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FCCF0	2_2_00000200A26FCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E2CD2	2_2_00000200A26E2CD2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E3CA6	2_2_00000200A26E3CA6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2741CA7	2_2_00000200A2741CA7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F9CB0	2_2_00000200A26F9CB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2705C90	2_2_00000200A2705C90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2715C90	2_2_00000200A2715C90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EAC80	2_2_00000200A26EAC80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2716C9E	2_2_00000200A2716C9E
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6C98	2_2_00000200A26E6C98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2742D70	2_2_00000200A2742D70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6D44	2_2_00000200A26E6D44
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EED50	2_2_00000200A26EED50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270AD30	2_2_00000200A270AD30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2718D24	2_2_00000200A2718D24
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EEDF0	2_2_00000200A26EEDF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270BDC0	2_2_00000200A270BDC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F8DA0	2_2_00000200A26F8DA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7DA1	2_2_00000200A26E7DA1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2704D90	2_2_00000200A2704D90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E2D8A	2_2_00000200A26E2D8A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E1D80	2_2_00000200A26E1D80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FEA40	2_2_00000200A26FEA40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E5A50	2_2_00000200A26E5A50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270AA30	2_2_00000200A270AA30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E3A32	2_2_00000200A26E3A32
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7A33	2_2_00000200A26E7A33
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2701A10	2_2_00000200A2701A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2705A10	2_2_00000200A2705A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EFA00	2_2_00000200A26EFA00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2733A00	2_2_00000200A2733A00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2715AD0	2_2_00000200A2715AD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FAAD0	2_2_00000200A26FAAD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EFAA0	2_2_00000200A26EFAA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E4A98	2_2_00000200A26E4A98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2704B60	2_2_00000200A2704B60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F2B50	2_2_00000200A26F2B50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E5B3E	2_2_00000200A26E5B3E
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6B00	2_2_00000200A26E6B00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2703BC0	2_2_00000200A2703BC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E2BD6	2_2_00000200A26E2BD6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26ECBAB	2_2_00000200A26ECBAB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E1070	2_2_00000200A26E1070
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6057	2_2_00000200A26E6057
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270E010	2_2_00000200A270E010
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E20C7	2_2_00000200A26E20C7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7160	2_2_00000200A26E7160
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E517C	2_2_00000200A26E517C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E517A	2_2_00000200A26E517A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F2140	2_2_00000200A26F2140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2724140	2_2_00000200A2724140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F5150	2_2_00000200A26F5150
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E612D	2_2_00000200A26E612D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7113	2_2_00000200A26E7113
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EA110	2_2_00000200A26EA110
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E61EC	2_2_00000200A26E61EC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EA1E0	2_2_00000200A26EA1E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F1180	2_2_00000200A26F1180
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E219F	2_2_00000200A26E219F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F9190	2_2_00000200A26F9190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FA190	2_2_00000200A26FA190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FAE40	2_2_00000200A26FAE40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26EFE20	2_2_00000200A26EFE20
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2709E10	2_2_00000200A2709E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E5E06	2_2_00000200A26E5E06
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A271DE00	2_2_00000200A271DE00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6E10	2_2_00000200A26E6E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F3E10	2_2_00000200A26F3E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26ECE10	2_2_00000200A26ECE10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6EEB	2_2_00000200A26E6EEB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E3EC7	2_2_00000200A26E3EC7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F9EC0	2_2_00000200A26F9EC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2739E90	2_2_00000200A2739E90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7E89	2_2_00000200A26E7E89
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A273CF70	2_2_00000200A273CF70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F6F60	2_2_00000200A26F6F60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E7F7C	2_2_00000200A26E7F7C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E5F46	2_2_00000200A26E5F46
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2716F5F	2_2_00000200A2716F5F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E6FF7	2_2_00000200A26E6FF7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2704FC0	2_2_00000200A2704FC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FEFC0	2_2_00000200A26FEFC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F7FA0	2_2_00000200A26F7FA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2714FA0	2_2_00000200A2714FA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E4FB5	2_2_00000200A26E4FB5
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26F5FB0	2_2_00000200A26F5FB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2724F90	2_2_00000200A2724F90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26E1F88	2_2_00000200A26E1F88
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2701F80	2_2_00000200A2701F80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7F9E0	2_2_00000200A2B7F9E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B72140	2_2_00000200A2B72140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B80680	2_2_00000200A2B80680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B79CB0	2_2_00000200A2B79CB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B844B0	2_2_00000200A2B844B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B63CA6	2_2_00000200A2B63CA6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B85C90	2_2_00000200A2B85C90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66C98	2_2_00000200A2B66C98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6AC80	2_2_00000200A2B6AC80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7CCF0	2_2_00000200A2B7CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B934F0	2_2_00000200A2B934F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B654E0	2_2_00000200A2B654E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B824E0	2_2_00000200A2B824E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B62CD2	2_2_00000200A2B62CD2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC39	2_2_00000200A2B8FC39
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC30	2_2_00000200A2B8FC30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67C3B	2_2_00000200A2B67C3B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66B00	2_2_00000200A2B66B00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7D420	2_2_00000200A2B7D420
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B90C20	2_2_00000200A2B90C20
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC27	2_2_00000200A2B8FC27
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B74410	2_2_00000200A2B74410
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B68C05	2_2_00000200A2B68C05
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B63470	2_2_00000200A2B63470
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B83464	2_2_00000200A2B83464
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC5D	2_2_00000200A2B8FC5D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC54	2_2_00000200A2B8FC54
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC4B	2_2_00000200A2B8FC4B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8FC42	2_2_00000200A2B8FC42
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67DA1	2_2_00000200A2B67DA1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B78DA0	2_2_00000200A2B78DA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7B5A0	2_2_00000200A2B7B5A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B84D90	2_2_00000200A2B84D90
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B85590	2_2_00000200A2B85590
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B61D80	2_2_00000200A2B61D80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B62D8A	2_2_00000200A2B62D8A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B69588	2_2_00000200A2B69588
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6EDF0	2_2_00000200A2B6EDF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6C5F0	2_2_00000200A2B6C5F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6F5E0	2_2_00000200A2B6F5E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B675D2	2_2_00000200A2B675D2
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8BDC0	2_2_00000200A2B8BDC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B86530	2_2_00000200A2B86530
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8AD30	2_2_00000200A2B8AD30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B98D24	2_2_00000200A2B98D24
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6656A	2_2_00000200A2B6656A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6ED50	2_2_00000200A2B6ED50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7E550	2_2_00000200A2B7E550
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66D44	2_2_00000200A2B66D44
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6FAA0	2_2_00000200A2B6FAA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B87290	2_2_00000200A2B87290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B64A98	2_2_00000200A2B64A98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6D2F0	2_2_00000200A2B6D2F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B662F9	2_2_00000200A2B662F9
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B662E6	2_2_00000200A2B662E6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7AAD0	2_2_00000200A2B7AAD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8B2D0	2_2_00000200A2B8B2D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B63A32	2_2_00000200A2B63A32
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67A33	2_2_00000200A2B67A33
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B78230	2_2_00000200A2B78230
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8AA30	2_2_00000200A2B8AA30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B81A10	2_2_00000200A2B81A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B85A10	2_2_00000200A2B85A10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6FA00	2_2_00000200A2B6FA00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B91270	2_2_00000200A2B91270
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6227C	2_2_00000200A2B6227C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B61264	2_2_00000200A2B61264
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B65A50	2_2_00000200A2B65A50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7EA40	2_2_00000200A2B7EA40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6CBAB	2_2_00000200A2B6CBAB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B613F7	2_2_00000200A2B613F7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B683E0	2_2_00000200A2B683E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B62BD6	2_2_00000200A2B62BD6
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B773D0	2_2_00000200A2B773D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B673C0	2_2_00000200A2B673C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B83BC0	2_2_00000200A2B83BC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B65B3E	2_2_00000200A2B65B3E
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B63300	2_2_00000200A2B63300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66B00	2_2_00000200A2B66B00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B89300	2_2_00000200A2B89300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B84B60	2_2_00000200A2B84B60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B72B50	2_2_00000200A2B72B50
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B85340	2_2_00000200A2B85340
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B9A8BC	2_2_00000200A2B9A8BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8F890	2_2_00000200A2B8F890
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B88880	2_2_00000200A2B88880
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B738D0	2_2_00000200A2B738D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6E8DC	2_2_00000200A2B6E8DC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B620C7	2_2_00000200A2B620C7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6B822	2_2_00000200A2B6B822
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8E010	2_2_00000200A2B8E010
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B90810	2_2_00000200A2B90810
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B61070	2_2_00000200A2B61070
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B87870	2_2_00000200A2B87870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66057	2_2_00000200A2B66057
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7C850	2_2_00000200A2B7C850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6E9B0	2_2_00000200A2B6E9B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B79190	2_2_00000200A2B79190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7A190	2_2_00000200A2B7A190
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6219F	2_2_00000200A2B6219F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B71180	2_2_00000200A2B71180
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B799F0	2_2_00000200A2B799F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6A1E0	2_2_00000200A2B6A1E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B661EC	2_2_00000200A2B661EC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B84930	2_2_00000200A2B84930
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6612D	2_2_00000200A2B6612D
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67113	2_2_00000200A2B67113
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6A110	2_2_00000200A2B6A110
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B62971	2_2_00000200A2B62971
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6517C	2_2_00000200A2B6517C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6517A	2_2_00000200A2B6517A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67160	2_2_00000200A2B67160
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B75150	2_2_00000200A2B75150
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BA4140	2_2_00000200A2BA4140
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6A6A0	2_2_00000200A2B6A6A0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6769C	2_2_00000200A2B6769C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67E89	2_2_00000200A2B67E89
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B776E0	2_2_00000200A2B776E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66EEB	2_2_00000200A2B66EEB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B63EC7	2_2_00000200A2B63EC7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B79EC0	2_2_00000200A2B79EC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B61630	2_2_00000200A2B61630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B76630	2_2_00000200A2B76630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6FE20	2_2_00000200A2B6FE20
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66E10	2_2_00000200A2B66E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6CE10	2_2_00000200A2B6CE10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B73E10	2_2_00000200A2B73E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B89E10	2_2_00000200A2B89E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B65E06	2_2_00000200A2B65E06
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BB6670	2_2_00000200A2BB6670
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B92660	2_2_00000200A2B92660
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7AE40	2_2_00000200A2B7AE40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B64FB5	2_2_00000200A2B64FB5
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B75FB0	2_2_00000200A2B75FB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B77FA0	2_2_00000200A2B77FA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B94FA0	2_2_00000200A2B94FA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B78780	2_2_00000200A2B78780
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B81F80	2_2_00000200A2B81F80
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B61F88	2_2_00000200A2B61F88
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66FF7	2_2_00000200A2B66FF7
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8A7F0	2_2_00000200A2B8A7F0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7EFC0	2_2_00000200A2B7EFC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B84FC0	2_2_00000200A2B84FC0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B857C0	2_2_00000200A2B857C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7F710	2_2_00000200A2B7F710
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6271A	2_2_00000200A2B6271A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B66704	2_2_00000200A2B66704
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B84700	2_2_00000200A2B84700
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B67F7C	2_2_00000200A2B67F7C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B76F60	2_2_00000200A2B76F60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B6176F	2_2_00000200A2B6176F
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B93760	2_2_00000200A2B93760
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B65F46	2_2_00000200A2B65F46
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180012140	3_2_0000000180012140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180015150	3_2_0000000180015150
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800224E0	3_2_00000001800224E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180020680	3_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800176E0	3_2_00000001800176E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001F9E0	3_2_000000018001F9E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001AAD0	3_2_000000018001AAD0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180013E10	3_2_0000000180013E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006FF7	3_2_0000000180006FF7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018002E010	3_2_000000018002E010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006057	3_2_0000000180006057
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001070	3_2_0000000180001070
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800020C7	3_2_00000001800020C7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000A110	3_2_000000018000A110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180007113	3_2_0000000180007113
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000612D	3_2_000000018000612D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180044140	3_2_0000000180044140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180007160	3_2_0000000180007160

Source: Joe Sandbox View

Dropped File: C:\Program Files\Windows Mail\arphaCrashReport64.exe E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271

Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180041800 appears 91 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00000200A2721800 appears 91 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00000200A2724F40 appears 61 times
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: String function: 00007FF7D9A16BB0 appears 64 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180041800 appears 91 times

Source: 2024-12-10#U67e5#U9605_uninst.exe	Binary or memory string: OriginalFilename vs 2024-12-10#U67e5#U9605_uninst.exe
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs 2024-12-10#U67e5#U9605_uninst.exe
Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs 2024-12-10#U67e5#U9605_uninst.exe

Source: classification engine

Classification label: mal96.troj.evad.winEXE@11/5@1/2

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2700680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	2_2_00000200A2700680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2700480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	2_2_00000200A2700480
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2707290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2707290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2709300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2709300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2707870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2707870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FFD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	2_2_00000200A26FFD10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2709A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	2_2_00000200A2709A70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	2_2_00000200A270CE70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B80680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	2_2_00000200A2B80680
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B80480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	2_2_00000200A2B80480
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	2_2_00000200A2B7FD10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B87290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B87290
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B89A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	2_2_00000200A2B89A70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B89300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B89300
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B87870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B87870
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	2_2_00000200A2B8CE70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	3_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180027290
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180029300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	3_2_0000000180020480
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0000000180027870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	3_2_0000000180029A70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	3_2_000000018001FD10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	3_2_000000018002CE70
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180027290
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180029300
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	4_2_0000000180020480
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	4_2_0000000180020680
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180027870
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	4_2_0000000180029A70
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	4_2_000000018001FD10
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	4_2_000000018002CE70

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26FC4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,

2_2_00000200A26FC4E0

Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	2_2_00000200A27063C0
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	2_2_00000200A2B863C0
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	3_2_00000001800263C0
Source: C:\Windows\System32\dllhost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	4_2_00000001800263C0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A270C950 memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_00000200A270C950

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,

0_2_0000000180001A10

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9A34810 LoadResource,LockResource,SizeofResource,

0_2_00007FF7D9A34810

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2710260 OpenSCManagerW,OpenServiceW,QueryServiceStatus,LockServiceDatabase,ChangeServiceConfigW,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep,VirtualFree,VirtualFree,

2_2_00000200A2710260

Source: C:\Windows\System32\svchost.exe

File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}

Source: unknown	Process created: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe "C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: arphadump64.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static file information: File size 2319360 > 1048576

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1fde00

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2024-12-10#U67e5#U9605_uninst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000005.00000002.2164041872.0000000180039000.00000002.00000001.01000000.00000005.sdmp, arphaDump64.dll.2.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: 2024-12-10#U67e5#U9605_uninst.exe, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146480784.000001BCF0610000.00000004.00001000.00020000.00000000.sdmp, 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3987451786.00000200A2530000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3982177497.0000000180001000.00000020.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000005.00000002.2172528768.00007FF6DD4A2000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe, 00000005.00000000.2156482490.00007FF6DD4A2000.00000002.00000001.01000000.00000004.sdmp, arphaCrashReport64.exe.2.dr

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2704080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_00000200A2704080

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB8B14 push rax; ret	0_2_00007FF7D9AB8B15
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB7CA5 push rdi; retf	0_2_00007FF7D9AB7CA6
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB8379 push rbx; ret	0_2_00007FF7D9AB837A
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9AB755A push rbx; retf	0_2_00007FF7D9AB7560
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FC3E0 push rcx; ret	2_2_00000200A26FC3E1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A27419F7 push FF491775h; ret	2_2_00000200A27419FC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7C3E0 push rcx; ret	2_2_00000200A2B7C3E1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001C3E0 push rcx; ret	3_2_000000018001C3E1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800619F7 push FF491775h; ret	3_2_00000001800619FC
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001C3E0 push rcx; ret	4_2_000000018001C3E1
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_00000001800619F7 push FF491775h; ret	4_2_00000001800619FC

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A27030FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,

2_2_00000200A27030FE

Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe			Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaDump64.dll			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A27103E0 OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,ControlService,ControlService,StartServiceW,CloseServiceHandle,CloseServiceHandle,Sleep,

2_2_00000200A27103E0

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\svchost.exe

File deleted: c:\users\user\desktop\2024-12-10#u67e5#u9605_uninst.exe

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26FBFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,

2_2_00000200A26FBFC0

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\System32\dllhost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode	graph_0-50007
Source: C:\Windows\System32\svchost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26F6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

2_2_00000200A26F6F60

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	0_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	2_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	2_2_00000200A270D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A270F890
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	2_2_00000200A2B8D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B8F890
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_000000018002D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018002F890
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	4_2_000000018002D140
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018002F890

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\svchost.exe	API coverage: 3.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\dllhost.exe	API coverage: 3.2 %

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe TID: 3516

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_00000200A26FE210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A26FC850
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FCCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A26FCCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FDDD0 malloc,memset,FindFirstFileW,free,	2_2_00000200A26FDDD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B7CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7DDD0 malloc,memset,FindFirstFileW,free,	2_2_00000200A2B7DDD0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	2_2_00000200A2B7E210
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_00000200A2B7C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	3_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	4_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	4_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

2_2_00000200A2709300

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9A18CF2 GetSystemInfo,

0_2_00007FF7D9A18CF2

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 2024-12-10#U67e5#U9605_uninst.exe, 00000000.00000002.2146108660.000001BCEE8EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: svchost.exe, 00000002.00000002.3984551119.00000200A122B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: dllhost.exe, 00000007.00000002.3983091657.0000021412F9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: dllhost.exe, 00000004.00000002.3983107829.00000256764FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: svchost.exe, 00000002.00000000.2131257301.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3984636703.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3983688737.000001F582013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3983468674.0000019565613000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: arphaCrashReport64.exe, 00000005.00000002.2164688506.0000027DD1D2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

API call chain: ExitProcess graph end node

graph_0-50013

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A270E276 mouse_event,BlockInput,

2_2_00000200A270E276

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9BF6EF8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7D9BF6EF8

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9BF16A4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7D9BF16A4

Source: C:\Windows\System32\svchost.exe

2_2_00000200A26F6F60

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC

3_2_0000000180034DA0

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2704080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_00000200A2704080

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9A174A0 GetProcessHeap,

0_2_00007FF7D9A174A0

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BF6EF8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D9BF6EF8
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BF0E60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D9BF0E60
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9BF12BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D9BF12BC
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00000001801127E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001801127E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000001801127E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00000001801127E0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2740770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00000200A2740770
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2740030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00000200A2740030
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2744130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00000200A2744130
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BC0030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00000200A2BC0030
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180060030
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180064130
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180060770
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0000000180060030
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0000000180064130
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000000180060770

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: arphaCrashReport64.exe.2.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A11E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A2400000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A1980000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A1990000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A2A10000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A2A20000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A2AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A2AC0000 protect: page read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A26FF9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,

2_2_00000200A26FF9E0

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A270E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	2_2_00000200A270E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A26FF710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	2_2_00000200A26FF710
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2709E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	2_2_00000200A2709E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B8E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	2_2_00000200A2B8E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B89E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	2_2_00000200A2B89E10
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B7F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	2_2_00000200A2B7F710
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	3_2_000000018002E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	3_2_000000018001F710
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	3_2_0000000180029E10
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	4_2_000000018002E4D0
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	4_2_000000018001F710
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	4_2_0000000180029E10

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD252B131	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2518FB0	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x27DD251E8B1	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x27DD251E6D2	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x27DD252216D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x27DD253CA47
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x27DD2530727	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x27DD252244C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x27DD253D4F8	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x27DD253D89D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD251E4F4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530544	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtUnmapViewOfSection: Direct from: 0x27DD253C9A7	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x27DD2530741
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530883	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD252B08C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQueryInformationProcess: Direct from: 0x27DD25191B3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD25221DB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x27DD251E065	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530A9A	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD252B0C3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD251D3EB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD253069D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD252B0FA	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2518494	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530959	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x27DD2519000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530818	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530758	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD25307AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x27DD253D52B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x27DD253D84B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD251B8AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x27DD253D88C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2530A2F	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x27DD2530511	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD25308EE	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD252AFDD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD25309C4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x27DD251C5C9	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x27DD253C984	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x27DD251B93E	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD2522212	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD251E173	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x27DD253052B
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x27DD253D1CC	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Memory written: PID: 1064 base: 200A11E0000 value: E9

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 5164	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 6464	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 4364	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 5196	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A11E0000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A2400000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1980000	Jump to behavior
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1990000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25676320000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 256763B0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25676310000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A2A10000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A2A20000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A2AB0000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A2AC0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21412E90000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21412F20000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21412E80000	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	2_2_00000200A26F2140
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	2_2_00000200A2B72140
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	3_2_0000000180012140
Source: C:\Windows\System32\dllhost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	4_2_0000000180012140

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A270E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,

2_2_00000200A270E010

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A270E276 mouse_event,BlockInput,

2_2_00000200A270E276

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior

Source: svchost.exe, 00000003.00000003.2778625577.000001F583580000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2778652049.000001F5835A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3382214979.000001F5835A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dllhost.exe, 00000004.00000003.3967640147.0000025678A50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerP
Source: svchost.exe, 00000003.00000003.3382469512.000001F583640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2778672124.000001F5836C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3382267879.000001F5836C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TCPProgram Manager

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_000000018002BBA8 cpuid

0_2_000000018002BBA8

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A2707E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,

2_2_00000200A2707E20

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe

Code function: 0_2_00007FF7D9BFF09C GetSystemTimeAsFileTime,

0_2_00007FF7D9BFF09C

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000200A27024E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

2_2_00000200A27024E0

Stealing of Sensitive Information

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1064, type: MEMORYSTR

Remote Access Functionality

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1064, type: MEMORYSTR

Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A449E0 socket,bind,WSAGetLastError,WSAGetLastError,WSAGetLastError,	0_2_00007FF7D9A449E0
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A48C00 WSAGetLastError,socket,WSAGetLastError,bind,WSAGetLastError,bind,WSAGetLastError,	0_2_00007FF7D9A48C00
Source: C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe	Code function: 0_2_00007FF7D9A36320 socket,bind,SetLastError,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,	0_2_00007FF7D9A36320
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2701520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	2_2_00000200A2701520
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A272A830 socket,socket,htonl,bind,getsockname,	2_2_00000200A272A830
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2727630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	2_2_00000200A2727630
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2736B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	2_2_00000200A2736B30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2B81520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	2_2_00000200A2B81520
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BB6B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	2_2_00000200A2BB6B30
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BAA830 socket,socket,htonl,bind,getsockname,	2_2_00000200A2BAA830
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000200A2BA7630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	2_2_00000200A2BA7630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	3_2_0000000180021520
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	3_2_0000000180047630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018004A830 socket,socket,htonl,bind,getsockname,	3_2_000000018004A830
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	3_2_0000000180056B30
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	4_2_0000000180021520
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	4_2_0000000180047630
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_000000018004A830 socket,socket,htonl,bind,getsockname,	4_2_000000018004A830
Source: C:\Windows\System32\dllhost.exe	Code function: 4_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	4_2_0000000180056B30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	12 Windows Service	11 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	12 Service Execution	1 Scheduled Task/Job	12 Windows Service	1 DLL Side-Loading	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	623 Process Injection	1 File Deletion	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Masquerading	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	21 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	4 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	623 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Indicator Removal	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	4%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.47.188	true	false		high
www.baidu.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.154.172.193	unknown	Japan		4249	LILLY-ASUS	false
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572748
Start date and time:	2024-12-10 20:56:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2024-12-10#U67e5#U9605_uninst.exe renamed because original name is a hash value
Original Sample Name:	2024-12-10_uninst.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@11/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 37 Number of non-executed functions: 82
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 2024-12-10#U67e5#U9605_uninst.exe

Simulations

Behavior and APIs

Time	Type	Description
20:57:11	Task Scheduler	Run new task: MicrosoftEdgeUpdate path: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.47.188	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	b6FArHy7yA.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	360safe.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://profdentalcare.com	Get hash	malicious	Unknown	Browse	103.235.46.96
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	103.235.47.188
	https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	hax.mpsl.elf	Get hash	malicious	Mirai	Browse	182.61.224.158
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	180.76.229.255
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	.akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	106.13.55.248
	b6FArHy7yA.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	360safe.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	arm7.elf	Get hash	malicious	Mirai	Browse	106.13.224.235
LILLY-ASUS	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	43.153.180.60
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	43.75.63.212
	Josho.m68k.elf	Get hash	malicious	Unknown	Browse	40.171.24.94
	Josho.mpsl.elf	Get hash	malicious	Unknown	Browse	42.139.61.210
	hax.spc.elf	Get hash	malicious	Mirai	Browse	42.171.217.5
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	43.175.135.109
	hax.arm7.elf	Get hash	malicious	Mirai	Browse	42.175.33.200
	hax.mpsl.elf	Get hash	malicious	Mirai	Browse	40.225.254.87
	hax.sh4.elf	Get hash	malicious	Mirai	Browse	40.223.139.135

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	png131.exe	Get hash	malicious	ValleyRAT	Browse
	install.exe	Get hash	malicious	ValleyRAT	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	Cbrome1.0.exe	Get hash	malicious	Unknown	Browse
	Supe.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238384
Entropy (8bit):	6.278635939854228
Encrypted:	false
SSDEEP:	3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
MD5:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
SHA1:	DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
SHA-256:	E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
SHA-512:	1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: png131.exe, Detection: malicious, Browse Filename: install.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: Cbrome1.0.exe, Detection: malicious, Browse Filename: Supe.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

C:\Program Files\Windows Mail\arphaDump64.bin

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	546252
Entropy (8bit):	6.544066734855226
Encrypted:	false
SSDEEP:	12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYS:flXDp9HPYlr5
MD5:	41A525ADD2B2B33FB9681C0E65E57B55
SHA1:	FC90352608D96D0454A2F51D7EEC7B6ECA687505
SHA-256:	3EE9E55C4C469042C3622D84CB4DA2EBCFA77C1D2517564AC289BA5D17264D64
SHA-512:	4CEB617727D6CF40E81E715BA2FBDB440859B3DC2DAC592FDAE93EB5577CDE341191AA98A87D3CFF3AF9D2CE95C465A71D7FC0CF004243C947F781BB0C263CD1
Malicious:	false
Reputation:	low
Preview:	4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s\|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.\|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

C:\Program Files\Windows Mail\arphaDump64.dll

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	6.3893906748659095
Encrypted:	false
SSDEEP:	3072:HxZrTgN6uyqfkqc53wuY+OrGW2LRKK9+R/BsP3VkxQO6yOxaXLNC3dvMvuTYpr:fsxkmyLRKiM/BsNd3yGaXpruT2r
MD5:	A0DDABA09C3626E07A748C662B83BE19
SHA1:	C28FA5C63075CD8846143F417A0C0D4874675B0F
SHA-256:	31E1AA8C30756D56F8E0038D37AAAC5A53976D1DB05D3534B8B2E1AA21407B4B
SHA-512:	59BAD78B84C4DA7097E87BA67CEB3CEB6F72774FEA78FBD7E2168E548A7860197708AD96CC5010A2D5669427BC916F5CC24F5F27AF8B474AC62DE620C757B41F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K+...Js..Js..Js.D2p..Js.D2v..Js.D2w..Js...p..Js...w..Js...v.,Js.D2r..Js..Jr.jJs...z..Js...s..Js.....Js...q..Js.Rich.Js.................PE..d....DDg.........." ...*.............^....................................................`..........................................,.......-..<............p..........................p.......................(.......@............................................text...P~.......................... ..`.rdata.............................@..@.data....&...@.......,..............@....pdata.......p.......B..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	3.559862861079417
Encrypted:	false
SSDEEP:	48:yei1q9tNTPQOYZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTCp+++:t7U4diaigVA9ll7dhFFb+
MD5:	53DCF71FCE78EA4C7B41FB4D973E5815
SHA1:	46FB4C836823ABC49A153F6385D66C5F9E0CA30D
SHA-256:	464DAC2210C387ADA19C7DF46AE18B628E1D8F9EA34DD7EDF812289CFECAF4DB
SHA-512:	BF9C4DBEC061FE85A099C4D8E31C09B75F9B8CDDD554CA0F241A63E08B463242A30272B423C0ED9F5A38844A89924530C358442EB898837CC00B1368C439008B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .E.d.g.e. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.e.r.I.d.

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.711501029615035
Encrypted:	false
SSDEEP:	96:pYMguQII4isJ6h4aGdinipV9ll7UY5HAmzQ+:9A44/xne7HO+
MD5:	35DA4616E8C91EFD9EBE0B34A8632CC7
SHA1:	83A37A92682DF838A1573F1407A053E3CF0147A1
SHA-256:	71A642C890B1EC0409F68C6A81DEF12B82FB3F5EAC9031B6E520107DF5CF66BD
SHA-512:	20AAD70F8B11239230367E486EDA1E10ED22B5E629F0FF925B73B391BA230050CD365000A8D02127E9BD80A0046B2C329198C9F436274E7960F0672EE92A0099
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.132204010116387
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2024-12-10#U67e5#U9605_uninst.exe
File size:	2'319'360 bytes
MD5:	0aa972dc4d2fe4c5f9a7a9d26ea3f51f
SHA1:	2e141f8072836b479572b1d7fa468727011601eb
SHA256:	bb1d91e8f93a1b08b098969e48a12d2f2b8203a30de0c3d85ec8cd36a3fa8049
SHA512:	fcfad174c11e8085161afeebb0b4380bf82105ff3e108f09e115be7e51ef53a24159f12637862cdca4f770019fdaf78972966a81d406eedcc75a1b104fa072a0
SSDEEP:	49152:soQVMCMbSwPwOTINyDiSym2GBKhrKhpYVNw:WZoPZI0D3yLGB6wpYVNw
TLSH:	94B58D58258E8EA1F56F70B8990092D2DF22F52442B087FB37C5D655352A26CC8FFBC6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..)...z...z...zB..{...zB..{...zB..{...z[..{...z[..{...z[..{;..z...z...z...{...zB..{...z...z...z...{...z...{...zRich...z.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1401e0afc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757D86F [Tue Dec 10 05:58:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	30e5e37178bcd33feee09c46955e53d9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5DAD409B3Ch
dec eax
add esp, 28h
jmp 00007F5DAD408FAFh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007F5DAD409141h
dec eax
mov ecx, ebx
call 00007F5DAD419272h
test eax, eax
je 00007F5DAD409145h
dec eax
mov ecx, ebx
call 00007F5DAD40F01Ah
dec eax
test eax, eax
je 00007F5DAD409119h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007F5DAD409138h
call 00007F5DAD409C74h
int3
call 00007F5DAD409C8Eh
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
mov edx, 00000FA0h
dec eax
lea ecx, dword ptr [00050A06h]
call dword ptr [0001E510h]
dec eax
lea ecx, dword ptr [00025401h]
call dword ptr [0001E6A3h]
dec eax
mov ebx, eax
dec eax
test eax, eax
jne 00007F5DAD409147h
dec eax
lea ecx, dword ptr [00025434h]
call dword ptr [0001E68Eh]
dec eax
mov ebx, eax
dec eax
test eax, eax
je 00007F5DAD4091B1h
dec eax
lea edx, dword ptr [0002543Fh]
dec eax
mov ecx, ebx
call dword ptr [0001E5A6h]
dec eax
lea edx, dword ptr [0002544Fh]
dec eax
mov ecx, ebx
dec eax
mov edi, eax
call dword ptr [0001E593h]
dec eax
test edi, edi
je 00007F5DAD409147h
dec eax
test eax, eax
je 00007F5DAD409142h
dec eax
mov dword ptr [000009CAh], edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x217cb4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x233000	0x7e78	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23b000	0x18d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x210750	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x210900	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x210790	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ff000	0x590	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fdc40	0x1fde00	abc775d348f8fcdba8ba056dc90b6a66	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ff000	0x19e0c	0x1a000	ad081c80f064c5b3d90710fd215ad089	False	0.3142841045673077	data	4.61868901075285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x219000	0x1986c	0x14800	65b50643df565d23f37475f99d8a275a	False	0.8717487614329268	DIY-Thermocam raw data (Lepton 2.x), scale 20575-8256, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 214.254868	7.671876601140216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x233000	0x7e78	0x8000	b714e5ad635fdebcddda0a616c83f649	False	0.45068359375	data	5.558361042678715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23b000	0x18d4	0x1a00	a68bb8e43de5a6407a0e583bf4cb460c	False	0.3073918269230769	data	5.379536810924863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	Sleep, LocalFree, WriteConsoleW, InitializeCriticalSectionEx, GetLastError, DecodePointer, DeleteCriticalSection, RaiseException, GetProcessHeap, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, CreateEventA, InitializeCriticalSectionAndSpinCount, InitializeConditionVariable, CloseHandle, GetSystemInfo, ResetEvent, PostQueuedCompletionStatus, WaitForSingleObject, EnterCriticalSection, SetEvent, GetQueuedCompletionStatus, GetCurrentThreadId, LeaveCriticalSection, GetExitCodeThread, TerminateThread, SetLastError, CreateTimerQueue, InitializeSRWLock, DeleteTimerQueueEx, lstrlenA, CreateFileA, GetFileSize, CreateFileMappingA, MapViewOfFileEx, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleA, GetProcAddress, GetCurrentThread, WakeConditionVariable, CreateIoCompletionPort, WakeAllConditionVariable, SwitchToThread, SleepConditionVariableCS, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, GetNativeSystemInfo, CreateTimerQueueTimer, WaitForMultipleObjects, UnmapViewOfFile, AcquireSRWLockShared, ReleaseSRWLockShared, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, lstrcatA, lstrcatW, VirtualAlloc, GetCurrentProcessId, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwindEx, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetFileType, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, CreateFileW
SHLWAPI.dll	StrChrA
USER32.dll	MsgWaitForMultipleObjects, TranslateMessage, UnregisterClassA, PeekMessageA, DispatchMessageA
WS2_32.dll	getsockname, getpeername, ntohl, htonl, WSAIoctl, setsockopt, getsockopt, ioctlsocket, send, shutdown, closesocket, WSASend, WSASetLastError, inet_pton, ntohs, __WSAFDIsSet, WSAStartup, WSACleanup, socket, bind, listen, WSAGetOverlappedResult, connect, WSACreateEvent, WSAEventSelect, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, recv, WSAResetEvent, WSACloseEvent, WSAGetLastError, freeaddrinfo, getaddrinfo, inet_ntop, htons, select, WSAStringToAddressA, WSARecv
WINMM.dll	timeGetTime
SHELL32.dll	CommandLineToArgvW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:57:09.232709885 CET	49707	80	192.168.2.6	103.235.47.188
Dec 10, 2024 20:57:09.352664948 CET	80	49707	103.235.47.188	192.168.2.6
Dec 10, 2024 20:57:09.352744102 CET	49707	80	192.168.2.6	103.235.47.188
Dec 10, 2024 20:57:11.190124989 CET	49707	80	192.168.2.6	103.235.47.188
Dec 10, 2024 20:57:11.462136030 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:11.581598997 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:11.581671953 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:11.597552061 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:11.716922045 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:13.171914101 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:13.218350887 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:13.503958941 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:13.623404980 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:13.855581045 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:13.974951982 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:13.975054979 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:13.975209951 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:14.094429970 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:15.501208067 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:15.544945955 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:15.578440905 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:15.697978020 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:23.624608994 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:23.743875980 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:25.702755928 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:25.822446108 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:33.749607086 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:33.868994951 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:35.827774048 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:35.949265003 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:43.874610901 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:43.994211912 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:45.952790976 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:46.072066069 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:53.999696970 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:54.119518042 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:57:56.077753067 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:57:56.197503090 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:04.124643087 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:04.243915081 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:06.202764034 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:06.322051048 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:14.249644995 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:14.368870020 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:14.378014088 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:14.498291016 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:16.327792883 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:16.447204113 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:16.862456083 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:16.982110023 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:24.499644995 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:24.619369030 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:26.984107018 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:27.105360031 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:34.624677896 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:34.744251013 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:37.109074116 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:37.229079008 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:44.749665976 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:44.870816946 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:47.234070063 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:47.353444099 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:54.874821901 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:54.994086027 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:58:57.359031916 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:58:57.482988119 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:04.999684095 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:05.120052099 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:07.484136105 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:07.603691101 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:14.738495111 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:14.858305931 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:17.239583015 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:17.361779928 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:24.859066963 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:24.978475094 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:27.374701023 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:27.495471954 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:34.984070063 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:35.103465080 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:37.499758959 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:37.620651007 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:45.109174967 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:45.228841066 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:47.624700069 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:47.747801065 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:55.234095097 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:55.353646040 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 20:59:57.749695063 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 20:59:57.869338989 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 21:00:05.359257936 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 21:00:05.478781939 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 21:00:07.874706984 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 21:00:07.994079113 CET	80	49710	43.154.172.193	192.168.2.6
Dec 10, 2024 21:00:15.484078884 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 21:00:15.603648901 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 21:00:15.612907887 CET	49708	80	192.168.2.6	43.154.172.193
Dec 10, 2024 21:00:15.732475042 CET	80	49708	43.154.172.193	192.168.2.6
Dec 10, 2024 21:00:15.828195095 CET	49710	80	192.168.2.6	43.154.172.193
Dec 10, 2024 21:00:15.951997042 CET	80	49710	43.154.172.193	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:57:09.048140049 CET	64462	53	192.168.2.6	1.1.1.1
Dec 10, 2024 20:57:09.187827110 CET	53	64462	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 20:57:09.048140049 CET	192.168.2.6	1.1.1.1	0x8283	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 20:57:09.187827110 CET	1.1.1.1	192.168.2.6	0x8283	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 20:57:09.187827110 CET	1.1.1.1	192.168.2.6	0x8283	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 20:57:09.187827110 CET	1.1.1.1	192.168.2.6	0x8283	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Dec 10, 2024 20:57:09.187827110 CET	1.1.1.1	192.168.2.6	0x8283	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	43.154.172.193	80	5164	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 20:57:11.597552061 CET	56	OUT	Data Raw: 02 24 27 25 0c 02 14 07 14 1a 10 02 23 0f 2f 10 0a 08 25 24 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: $'%#/%$::::::::::::::::::::::::::::::::=8
Dec 10, 2024 20:57:13.171914101 CET	85	IN	Data Raw: 05 1c 07 14 16 1f 25 04 07 22 18 0a 25 10 2f 24 1e 2e 17 02 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a d7 8a df 8a 9a 00 00 bc Data Ascii: %"%/$.::::::::::::::::;:::^:::':::::::=8xcVV`a
Dec 10, 2024 20:57:13.503958941 CET	796	OUT	Data Raw: 05 1c 07 14 16 1f 25 04 07 22 18 0a 25 10 2f 24 1e 2e 17 02 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 90 1c 3a 3a de 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 59 df 6f 12 41 10 36 f0 d2 16 c4 3e f0 d0 10 63 4c 63 d4 18 e3 93 4f Data Ascii: %"%/$.::::::::::::::::;:::::8::::::=8xYoA6>cLcOzHeRS4_7shq(4d{;mS@[Z>Db2LY@/$1RHRHNxRO:bicx(m6K13J6#pK=)~7RCJat
Dec 10, 2024 20:57:23.624608994 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:33.749607086 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:43.874610901 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:53.999696970 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:04.124643087 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:14.249644995 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:14.378014088 CET	624	OUT	Data Raw: 2c 11 1a 2e 1b 1a 08 21 1e 1a 2e 15 0c 12 25 2f 27 0d 2c 1f 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 36 25 3a 3a 02 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 5d 6b 1a 41 14 85 3e 15 9a 87 3e f8 10 a4 94 22 a5 29 25 14 1f fa Data Ascii: ,.!.%/',::::::::::::::::2::6%::8::::::=8xX]kA>>")%tSaw1[BAkbcGrE[+w;s{g\|0=<x_4}\|G!_#XX2`w2kJ"zD'.-J7QN/M%\SxJFle:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49710	43.154.172.193	80	6464	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 20:57:13.975209951 CET	56	OUT	Data Raw: 05 1c 07 14 16 1f 25 04 07 22 18 0a 25 10 2f 24 1e 2e 17 02 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: %"%/$.::::::::::::::::::::::::::::::::=8
Dec 10, 2024 20:57:15.501208067 CET	85	IN	Data Raw: 22 16 2c 26 11 20 02 2b 26 16 2d 1f 0a 1b 0c 16 10 2a 2b 0c 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a d7 8a df 8a 9a 00 00 bc Data Ascii: ",& +&-*+::::::::::::::::;:::^:::':::::::=8xcVV`a
Dec 10, 2024 20:57:15.578440905 CET	768	OUT	Data Raw: 2f 15 14 16 0b 29 2a 2a 26 2a 21 13 2f 25 2c 28 12 2c 00 0b 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 42 1c 3a 3a f2 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 df 6f 12 41 10 36 f0 d2 16 c4 3e f0 d0 5c 8c 69 1a a3 c6 18 9f 7c Data Ascii: /)*&!/%,(,::::::::::::::::;:::B::8::::::=8xXoA6>\i\|&G8C4_9G)9f2~3{vGd%,2H-^(9RHRHN\|RO:ci(y866`Oxww8-\| 2
Dec 10, 2024 20:57:25.702755928 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:35.827774048 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:45.952790976 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:57:56.077753067 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:06.202764034 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:16.327792883 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 20:58:16.862456083 CET	624	OUT	Data Raw: 26 0e 1a 29 2c 07 19 06 09 02 06 1d 16 26 0a 00 1b 03 1e 24 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 36 25 3a 3a 02 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 5d 6b 1a 41 14 85 3e 15 9a 87 3e f8 10 a4 94 22 a5 29 25 14 1f fa Data Ascii: &),&$::::::::::::::::2::6%::8::::::=8xX]kA>>")%tSaw1[BAkbcGrE[+w;s{g\|0=<x_4}\|G!_#XX2`w2kJ"zD'.-J7QN/M%\SxJFle:

Target ID:	0
Start time:	14:57:07
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2024-12-10#U67e5#U9605_uninst.exe"
Imagebase:	0x7ff7d9a10000
File size:	2'319'360 bytes
MD5 hash:	0AA972DC4D2FE4C5F9A7A9D26EA3F51F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:57:08
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:57:10
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:57:10
Start date:	10/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff642ec0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:57:11
Start date:	10/12/2024
Path:	C:\Program Files\Windows Mail\arphaCrashReport64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Imagebase:	0x7ff6dd480000
File size:	238'384 bytes
MD5 hash:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:57:11
Start date:	10/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:57:12
Start date:	10/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff642ec0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	18.6%
Signature Coverage:	25.6%
Total number of Nodes:	441
Total number of Limit Nodes:	22

Executed Functions

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000001800015E5
memcpy.NTDLL ref: 0000000180001609
malloc.MSVCRT ref: 0000000180001613
memset.NTDLL ref: 0000000180001648
memset.NTDLL ref: 00000001800016A8
GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
malloc.MSVCRT ref: 00000001800016CD
memset.NTDLL ref: 00000001800016E7
memcpy.NTDLL ref: 00000001800016F5
OpenSCManagerW.ADVAPI32 ref: 0000000180001789
EnumServicesStatusExW.ADVAPI32 ref: 00000001800017D0
malloc.MSVCRT ref: 00000001800017E2
memset.NTDLL ref: 00000001800017FC
EnumServicesStatusExW.ADVAPI32 ref: 0000000180001838
CloseServiceHandle.ADVAPI32 ref: 0000000180001845
free.MSVCRT ref: 000000018000184E
CloseServiceHandle.ADVAPI32 ref: 0000000180001856
lstrcmpiW.KERNEL32 ref: 0000000180001881

Strings

Schedule, xrefs: 0000000180001872

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
String ID: Schedule
API String ID: 3636854120-2739827629
Opcode ID: 70ccbce7ac579554b00e68964982556cd3487ef553e62ff7290f06c43de960f4
Instruction ID: 77915f136d28d9010cc6e861f3bfda285807add5c1f84c5dca0c70953a9b4365
Opcode Fuzzy Hash: 70ccbce7ac579554b00e68964982556cd3487ef553e62ff7290f06c43de960f4
Instruction Fuzzy Hash: A3A1AE36705B8486EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

Function 00007FF7D9A4ADD0 Relevance: 28.1, APIs: 5, Strings: 2, Instructions: 15804networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D9A33200: ResetEvent.KERNEL32(?,?,?,?,00007FF7D9AAD30E), ref: 00007FF7D9A33211

WSAGetLastError.WS2_32 ref: 00007FF7D9A56D70
WSAGetLastError.WS2_32 ref: 00007FF7D9A59E82
GetLastError.KERNEL32 ref: 00007FF7D9A5C58E
SetLastError.KERNEL32 ref: 00007FF7D9A5C5B0

Strings

bh5(', xrefs: 00007FF7D9A4F682
,4=H, xrefs: 00007FF7D9A53CE1

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$EventReset
String ID: bh5('$,4=H
API String ID: 3410914340-298069639
Opcode ID: 8bf2926e3c4078e62d6db7854044052cef78856126e4dd2c86e2c5eb1fe41bbb
Instruction ID: 27d166f31a6485c67fa56c765b65b2d428ee2a2706200183a824a1b9b51f250a
Opcode Fuzzy Hash: 8bf2926e3c4078e62d6db7854044052cef78856126e4dd2c86e2c5eb1fe41bbb
Instruction Fuzzy Hash: EC743E72A0C5D24BD328EF74A8A15FEB7F1AB85341F84523BD58DC7A5ACA2CA105CF50

Function 00007FF7D9A6B922 Relevance: 15.5, APIs: 7, Instructions: 5049networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 00007FF7D9A6C23A
WSAGetLastError.WS2_32 ref: 00007FF7D9A6C293
connect.WS2_32 ref: 00007FF7D9A6DD10
GetLastError.KERNEL32 ref: 00007FF7D9A6DDCA

Part of subcall function 00007FF7D9A2DAD0: select.WS2_32 ref: 00007FF7D9A2DCB4

WSAEventSelect.WS2_32 ref: 00007FF7D9A6EA0C
WSASetLastError.WS2_32 ref: 00007FF7D9A6F229
WSASetLastError.WS2_32 ref: 00007FF7D9A70EEC

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$connect$EventSelectselect
String ID:
API String ID: 2159918928-0
Opcode ID: 02f99bb89bd9bec302923d8007e00a99b7d901f9d53df09aa5ed8d383f7659a2
Instruction ID: 04dacf0082d31d55581e7ea7c6011f2037f19f8058ce84548089152ed89f9230
Opcode Fuzzy Hash: 02f99bb89bd9bec302923d8007e00a99b7d901f9d53df09aa5ed8d383f7659a2
Instruction Fuzzy Hash: 51B34172A0C5D24BD328EF74A8A16BEB7F19BC5341F84523BD58DC7A5ACA2CA504CF50

Function 00007FF7D9A602E6 Relevance: 12.6, APIs: 3, Instructions: 8149networkmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D9A48AB0: StrChrA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,00007FF7D9A488E1), ref: 00007FF7D9A48ADE

WSASetLastError.WS2_32 ref: 00007FF7D9A61B38
socket.WS2_32 ref: 00007FF7D9A61F1C
VirtualAlloc.KERNELBASE ref: 00007FF7D9A6699E

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocErrorLastVirtualsocket
String ID:
API String ID: 2017719348-0
Opcode ID: e88fd56ae137a1c74461e8097582d2c5e2c0598196ac759611b4794dc1e3bd91
Instruction ID: 65ebfcde5ac431803fb8fcc1fd922b9128bcac249ce2f2d42f285abde188b001
Opcode Fuzzy Hash: e88fd56ae137a1c74461e8097582d2c5e2c0598196ac759611b4794dc1e3bd91
Instruction Fuzzy Hash: 90045072A085D24FD328EF74D8A16FD77F1AB85349F84523BD54DCBA5ACA2CA204CB50

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000817B
WriteProcessMemory.KERNELBASE ref: 000000018000820C
memset.NTDLL ref: 0000000180008354
memcpy.NTDLL ref: 0000000180008375
NtAlpcConnectPort.NTDLL ref: 00000001800083E7

Strings

0, xrefs: 000000018000828B
Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
API String ID: 2322259470-3460289035
Opcode ID: 7606ac36fa39d5fba01efb1612d82c7ec8bc058541244c139688a313f2a7d181
Instruction ID: 0b600ae3a3e83453483b19f834bfc71158cd70f74abece231445517b9c63723b
Opcode Fuzzy Hash: 7606ac36fa39d5fba01efb1612d82c7ec8bc058541244c139688a313f2a7d181
Instruction Fuzzy Hash: 35713DB5324EC891EFA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 0000000180009CB9

Strings

@, xrefs: 0000000180009CA1

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000018000587E
NtQuerySystemInformation.NTDLL ref: 00000001800058CD

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: InformationQuerySystemrealloc
String ID:
API String ID: 4089764311-0
Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700

Function 00007FF7D9BE0A20 Relevance: 3.0, Instructions: 2990COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID:
API String ID: 2573137834-0
Opcode ID: 002b99e58013bd091bb3f1efd12dfbcd04e87f10befed7b9ccd1c4f08ecaca4e
Instruction ID: 05f1b38f87a68ac30ce8f32d72f0e813ed29c0387e72794011613f755a2f12f9
Opcode Fuzzy Hash: 002b99e58013bd091bb3f1efd12dfbcd04e87f10befed7b9ccd1c4f08ecaca4e
Instruction Fuzzy Hash: DD63D962E0C99119E30ADF3498E013DFFF69F85785BC88337E54EA6515EA2DA243CB50

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE ref: 000000018000559C

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704

Function 00007FF7D9BDE680 Relevance: .9, Instructions: 933COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0746b3e73b7ebd77920953652783f00b32297ebf0d4588ce81e063e50ea78c0e
Instruction ID: f9948e6b10f57569a271de6b5e98297d51e6ee7c72d4d38a06dc9e0423820610
Opcode Fuzzy Hash: 0746b3e73b7ebd77920953652783f00b32297ebf0d4588ce81e063e50ea78c0e
Instruction Fuzzy Hash: 23A2C862D1C9D105D316EF3498E023EFEB6AF85785FC98337E18E92515EE2DA142CB50

Function 000001BCEE8608D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001BCEE8609EF

Strings

ocat, xrefs: 000001BCEE86092E
ateH, xrefs: 000001BCEE86097D
lloc, xrefs: 000001BCEE860976
ntdl, xrefs: 000001BCEE86095B
RtlR, xrefs: 000001BCEE860920
l.dl, xrefs: 000001BCEE860913
RtlA, xrefs: 000001BCEE86096F
l.dl, xrefs: 000001BCEE860962
eap, xrefs: 000001BCEE860984
eHea, xrefs: 000001BCEE860935
eAll, xrefs: 000001BCEE860927
ntdl, xrefs: 000001BCEE860909

Memory Dump Source

Source File: 00000000.00000002.2146085707.000001BCEE860000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCEE860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bcee860000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: LibraryLoad
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 1029625771-3994871222
Opcode ID: b11f4f2f506f70575e309f4ee35f27514d2eccd09e92f81734cd8165a29d1a1f
Instruction ID: 874fac5e5ab5e50c7f0e8f4854b0a1ab3dba0b9a304f7676fb5438b42d02453e
Opcode Fuzzy Hash: b11f4f2f506f70575e309f4ee35f27514d2eccd09e92f81734cd8165a29d1a1f
Instruction Fuzzy Hash: 9671D031614A0ACBEBA89F5CD8457EE7BE1FF94390F104119D84AC728ADB34D842CBD9

Function 00007FF7D9C02140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7D9C02772,?,?,00000000,00007FF7D9BFF985), ref: 00007FF7D9C022BC
GetProcAddressForCaller.KERNELBASE(?,?,?,00007FF7D9C02772,?,?,00000000,00007FF7D9BFF985), ref: 00007FF7D9C022C8

Strings

api-ms-, xrefs: 00007FF7D9C02206
ext-ms-, xrefs: 00007FF7D9C02219

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AddressCallerFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3520295827-537541572
Opcode ID: 2aad29cd30e0b31b49d84af00daefe6c2f6c56548210d022b1ceaf4a48be1a8b
Instruction ID: 39b25d02f97b21708faeeb6bb797cdf4692a7170df589362b3d9efb1d66758a9
Opcode Fuzzy Hash: 2aad29cd30e0b31b49d84af00daefe6c2f6c56548210d022b1ceaf4a48be1a8b
Instruction Fuzzy Hash: BB411422B19A0281FA95EF629800A7DA2B1BF45BE0FC94237DD0D67799DF3CE444C320

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 000000018000194B
GetModuleFileNameW.KERNEL32 ref: 000000018000195D
wcsstr.NTDLL ref: 000000018000196F
IsUserAnAdmin.SHELL32 ref: 000000018000197A
ExitProcess.KERNEL32 ref: 00000001800019A1

Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800015E5
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 0000000180001609
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 0000000180001613
Part of subcall function 00000001800015B0: memset.NTDLL ref: 0000000180001648
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016A8
Part of subcall function 00000001800015B0: GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800016CD
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016E7
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 00000001800016F5
Part of subcall function 00000001800015B0: OpenSCManagerW.ADVAPI32 ref: 0000000180001789

ExitProcess.KERNEL32 ref: 000000018000198E

Strings

svchost.exe, xrefs: 0000000180001963

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
String ID: svchost.exe
API String ID: 2075570005-3106260013
Opcode ID: 45f69df0e4fed2e44586dca63e0d8318bfe1b258da8823836d84a3e13a2394f6
Instruction ID: 5c56fdee547d7df19f87fbfca49010fe5bdf447972866224b63b2f3b95cb53d0
Opcode Fuzzy Hash: 45f69df0e4fed2e44586dca63e0d8318bfe1b258da8823836d84a3e13a2394f6
Instruction Fuzzy Hash: 9D015631311A4D81FBAADB21E8993DA2360BB8D795F449115A95E46695DF3CC34CC740

Function 00007FF7D9A2CED0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF7D9A2CF64
setsockopt.WS2_32 ref: 00007FF7D9A2CFA1
setsockopt.WS2_32 ref: 00007FF7D9A2CFFF
setsockopt.WS2_32 ref: 00007FF7D9A2D03C

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c38cac35fdacff014c4541e6b4e3abd54bb6126dc4ab5a11cef0fb7acfa13688
Instruction ID: d9e057a3e489ce7e55702e5afe8cb9bfa15e468950d099377be95fec55e597e5
Opcode Fuzzy Hash: c38cac35fdacff014c4541e6b4e3abd54bb6126dc4ab5a11cef0fb7acfa13688
Instruction Fuzzy Hash: 07513D76A592018BD750EF68E8419ADB7B0FB88784BD01437EA4E83B19CF3CE4148F24

Function 000001BCEE860224 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 227
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001BCEE8602F4
VirtualAlloc.KERNELBASE ref: 000001BCEE8603A1

Strings

RtlAllocateHeap, xrefs: 000001BCEE8602BC
l.dl, xrefs: 000001BCEE86028A
l, xrefs: 000001BCEE860291
ntdl, xrefs: 000001BCEE860283

Memory Dump Source

Source File: 00000000.00000002.2146085707.000001BCEE860000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCEE860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bcee860000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: RtlAllocateHeap$l$l.dl$ntdl
API String ID: 4275171209-1387368096
Opcode ID: b4c4ed2c585202e7720ad32f940b49e1e34a84d2224b2416f6ee24bbd427b5d8
Instruction ID: 57b79ccb944b2283e2d5180ff3cd273ec5c8b105febcceebda81411fce70d0d1
Opcode Fuzzy Hash: b4c4ed2c585202e7720ad32f940b49e1e34a84d2224b2416f6ee24bbd427b5d8
Instruction Fuzzy Hash: E261A570618A0ACFE7A8EF6CD8456A977E1FB48341F00415ED44AC72A6DF74E842CBD9

Function 00007FF7D9BF6BFC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D9BF6C27
CreateThread.KERNELBASE ref: 00007FF7D9BF6C68
GetLastError.KERNEL32(?,?,?,?,?,00007FF7D9A19A68), ref: 00007FF7D9BF6C76
CloseHandle.KERNEL32(?,?,?,?,?,00007FF7D9A19A68), ref: 00007FF7D9BF6C8C
FreeLibrary.KERNEL32(?,?,?,?,?,00007FF7D9A19A68), ref: 00007FF7D9BF6C9B

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: bab2295e073a4f6ace4db4130badd438c31a8126a09a57ee1ca7020adb751a51
Instruction ID: ee5256e6afe145b7c9bed6b7a62cf86b89b4bac64bfa456302b380445ae18fef
Opcode Fuzzy Hash: bab2295e073a4f6ace4db4130badd438c31a8126a09a57ee1ca7020adb751a51
Instruction Fuzzy Hash: 47213D25A0AB4A89EE54AF61A41017DE3B0EF88BD0FC54532DE8D43B55EE3EE4508760

Function 00007FF7D9A2AA80 Relevance: 6.1, APIs: 4, Instructions: 107
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF7D9A2AB1E
WSASetLastError.WS2_32 ref: 00007FF7D9A2AB55
freeaddrinfo.WS2_32 ref: 00007FF7D9A2AC12

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfo
String ID:
API String ID: 1817844550-0
Opcode ID: a6ae1f46db6b9b4b934caf5453b3632453f573c696a1fdf8df20312b1abb7991
Instruction ID: f59387269c23fa4c17ba10f9394ccbac4a39b4bc6789b82ffad9037c40a35118
Opcode Fuzzy Hash: a6ae1f46db6b9b4b934caf5453b3632453f573c696a1fdf8df20312b1abb7991
Instruction Fuzzy Hash: 92510936A186858BD654EF69E4906AEF3B0FBC4784FC05036EA8E93B55DE3CE444CB10

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000ADC2

Strings

@, xrefs: 000000018000ADAC

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304

Function 00007FF7D9A2DAD0 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32 ref: 00007FF7D9A2DCB4

Part of subcall function 00007FF7D9A2DDE0: GetLastError.KERNEL32(?,?,?,?,00007FF7D9A2DD82), ref: 00007FF7D9A2DDE8

__WSAFDIsSet.WS2_32 ref: 00007FF7D9A2DD9D

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: dc751306dc8cf1236dd36cb09db1014315388741eb5250ea4012c355936f6198
Instruction ID: 6094a64def6830a8021de1cfd0c5092a2acce4d74ba8ee688a6aea0fc540a9d9
Opcode Fuzzy Hash: dc751306dc8cf1236dd36cb09db1014315388741eb5250ea4012c355936f6198
Instruction Fuzzy Hash: 4991EC7290D6418BD658EF28E490AADF3B1EBD4344F905136E68E97B59DA3CE840CF14

Function 000001BCEE86070D Relevance: 3.1, APIs: 2, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 000001BCEE86075D
VirtualProtect.KERNELBASE ref: 000001BCEE8607AE

Memory Dump Source

Source File: 00000000.00000002.2146085707.000001BCEE860000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCEE860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bcee860000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: 092e706ae7ad4c03c15a75e9228587ed599bdad95a692feed2ceae8c4eec13d6
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: 8C31C531658602CBDB6C9A0CE8826B573D1F755344F24015CD987CB18BEB3AE843CED9

Function 000001BCEE860000 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001BCEE860179

Strings

run, xrefs: 000001BCEE8601A5

Memory Dump Source

Source File: 00000000.00000002.2146085707.000001BCEE860000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCEE860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bcee860000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID: run
API String ID: 4275171209-1349952704
Opcode ID: e5dc8825a7370ff9ec57641739cdc0d48f865f2156bb471bdecd58f16db5c67c
Instruction ID: f282f9b9f4ad56e0a0ff21c07ae6fad356b1666a59e0b5617e3379eb67dcb8d5
Opcode Fuzzy Hash: e5dc8825a7370ff9ec57641739cdc0d48f865f2156bb471bdecd58f16db5c67c
Instruction Fuzzy Hash: 3A11DF3031494D8BDB98FEACC880BEC76D2EB98359F010229A44AC3285CE78C8428BD5

Function 00007FF7D9A2CBF0 Relevance: 3.1, APIs: 2, Instructions: 56
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32 ref: 00007FF7D9A2CCA1
WSAGetLastError.WS2_32 ref: 00007FF7D9A2CCB7

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorIoctlLast
String ID:
API String ID: 4052769934-0
Opcode ID: ed837b09f12dab1b763b41369a70df7f490d427acf7979e47f9f45fbe10ef913
Instruction ID: bb53b035fe32854dc89355549e89f0156b32b2502d22f0a90aaad8155f69cca4
Opcode Fuzzy Hash: ed837b09f12dab1b763b41369a70df7f490d427acf7979e47f9f45fbe10ef913
Instruction Fuzzy Hash: 5131C4729486418BE754EF68E44176AF7B0FB88794F90412AE68D83B18DB7CE458CF14

Function 00007FF7D9A8E15E Relevance: 1.8, APIs: 1, Instructions: 311networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF7D9A8E1FC

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: EnumEventsNetwork
String ID:
API String ID: 1334179165-0
Opcode ID: 4ebcac89412e7efc30e7a2640db87857a87e6e34a58adc62e6712ee0787db7c2
Instruction ID: 2385b439f9f038de0a02d6d47f78f37b38356ececbdb3b850b23a07048fe2a48
Opcode Fuzzy Hash: 4ebcac89412e7efc30e7a2640db87857a87e6e34a58adc62e6712ee0787db7c2
Instruction Fuzzy Hash: D9E13072A0C5D28BD318EF38A8A55BEBBF19B85341F84513BD58DC3A5ACA2CE504CF54

Function 00007FF7D9A35B20 Relevance: 1.6, APIs: 1, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00007FF7D9A35B0A), ref: 00007FF7D9A35BD0

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d9a925ab13b5f89ad6467af50c660541581057f2aad2aeabf3dab3806dc53e3c
Instruction ID: b936c774acdbcffabe6fcd89996dfca710bbcd598fdead19f646247118920c72
Opcode Fuzzy Hash: d9a925ab13b5f89ad6467af50c660541581057f2aad2aeabf3dab3806dc53e3c
Instruction Fuzzy Hash: 44216D26F25B64CDF704DFB5A8912BC37B4A718788F84046AEE8D67B59CE3890608720

Function 00007FF7D9C0189C Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D9C01954: HeapAlloc.KERNEL32(?,?,?,00007FF7D9C018B9,?,?,00000000,00007FF7D9BF6A8B,?,?,?,00007FF7D9C004D7,?,?,?,00007FF7D9C003CD), ref: 00007FF7D9C01992

RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF7D9BF6A8B,?,?,?,00007FF7D9C004D7,?,?,?,00007FF7D9C003CD,?,?,00000000,00007FF7D9C007AE), ref: 00007FF7D9C01909

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: a07a89cb0b122696095850704bbce82ee04866544705d1835cf35ed82e0b98d6
Instruction ID: 9c2e7e770f151c51011bfc2fbe44a403384e3436cae08bee793a13a091e4d510
Opcode Fuzzy Hash: a07a89cb0b122696095850704bbce82ee04866544705d1835cf35ed82e0b98d6
Instruction Fuzzy Hash: 8E01EC10E1860746FEE47EB2554227DD2B05F457E4FD94733D92D662CAEE2CE5404731

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000AA41

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

RtlAdjustPrivilege.NTDLL ref: 0000000180008E96

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AdjustPrivilege
String ID:
API String ID: 3260937286-0
Opcode ID: 5d6e4b59ff8a6b8225dc495acd6b689647a659c3c95a76a3c66f1975b6b2e2b3
Instruction ID: 006989147f6c0ef173a6ad63e481d54274f3f56e0f4d918a3b7be20be4d5dd86
Opcode Fuzzy Hash: 5d6e4b59ff8a6b8225dc495acd6b689647a659c3c95a76a3c66f1975b6b2e2b3
Instruction Fuzzy Hash: 18F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43B64CE3DC2158B00

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetProcessId.KERNELBASE ref: 0000000180005A81

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000AF9F

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000A932

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000B17E

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

Function 00007FF7D9A2CA80 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF7D9A2CACF

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: af89ea1b8ec91a43d788d3702766a00663bf58fa3567b022c96e23f12184821a
Instruction ID: 10484eda8f503f5835054135a225b3c98e7080f6f6248617e196ecf647551ffc
Opcode Fuzzy Hash: af89ea1b8ec91a43d788d3702766a00663bf58fa3567b022c96e23f12184821a
Instruction Fuzzy Hash: 3FF0F935A28A418BE650EF29E84146EB3B0FBC8788FD05126FA9D87718DB3DE0158F14

Function 00007FF7D9BFF958 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D9BFF96C

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2cf6b01025c55fe36bac35e1374138a8c0fdc424bddf6831c527cfc152c669fd
Instruction ID: 71bfa0b051585700a30803afe75ac7344fbb13bae9ba649687dfc0ea54e1076b
Opcode Fuzzy Hash: 2cf6b01025c55fe36bac35e1374138a8c0fdc424bddf6831c527cfc152c669fd
Instruction Fuzzy Hash: B5E0ED25A0B10A8AFE247FA488453BD96709F41305FD28032D50C562C6EF2EA4125731

Function 00007FF7D9A2CA20 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF7D9A2CA52

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b0bfba42d1e121afd2aa587a6bf0855246f236eddc80dfa68d8ee748d5dd00b9
Instruction ID: e85b04da8059bc65fa8b96f280c57b6b6f6235733a13c59c32a9d204bed0aa45
Opcode Fuzzy Hash: b0bfba42d1e121afd2aa587a6bf0855246f236eddc80dfa68d8ee748d5dd00b9
Instruction Fuzzy Hash: A7E0A571A28A418BE650EF25E85116EB3B0FBC9788FD05126FA9E93728DF3CD4158F50

Function 000001BCEE860544 Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,00000000,-00000010,-00000001,00000000,00000000,000001BCEE8603CF), ref: 000001BCEE8605F5

Memory Dump Source

Source File: 00000000.00000002.2146085707.000001BCEE860000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCEE860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bcee860000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 554d3170c60eca2eb45742e049d3fa52307cae005affeb1c7ff9a92fbe018032
Instruction ID: 825a4fe15c5f869f1056b712e98ca4c943be7858c1cd5dd36286b8d55f320faa
Opcode Fuzzy Hash: 554d3170c60eca2eb45742e049d3fa52307cae005affeb1c7ff9a92fbe018032
Instruction Fuzzy Hash: 0A31E97060860ACFE76CDB6CD4556B9B7D1EB88351F20052EE18AC3346EB34D843CB85

Function 00007FF7D9C019B4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7D9C01FBA,?,?,00003F1D5F10EFDC,00007FF7D9BF6DC1,?,?,?,?,00007FF7D9C018D2,?,?,00000000), ref: 00007FF7D9C01A09

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a86d170df06594815dba4405610f31e691f9023b579b5647a33137061aee6a42
Instruction ID: 73f0f37ea2e694ac8560d79f45feeb55f05180332468d9478503d609bd9ee787
Opcode Fuzzy Hash: a86d170df06594815dba4405610f31e691f9023b579b5647a33137061aee6a42
Instruction Fuzzy Hash: 05F04954B0920745FE957EB299413BDD2B06F49BD0FC84433C90EA6686EE5CA6808331

Function 00007FF7D9C01954 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7D9C018B9,?,?,00000000,00007FF7D9BF6A8B,?,?,?,00007FF7D9C004D7,?,?,?,00007FF7D9C003CD), ref: 00007FF7D9C01992

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 59a06c0fe47b61a158d5c0987dd7de93d021d18a07cf429da4402c5438593290
Instruction ID: 26a078a3885789f3f897ccc5ed4e2b8bfc34903a0ffeab75bf307e7aab58ce8a
Opcode Fuzzy Hash: 59a06c0fe47b61a158d5c0987dd7de93d021d18a07cf429da4402c5438593290
Instruction Fuzzy Hash: 83F0FE15B0D20A45FE957EB1584137DD2B15F447E0FD95632DD2EA52CADE1CA4808231

Non-executed Functions

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filesleepmemoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
memcpy.NTDLL ref: 00000001800010EB
memcpy.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
Sleep.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
Sleep.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
Sleep.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
memcpy.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
memcpy.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

\Microsoft\Windows, xrefs: 000000018000149C
%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 1085075972-4137575348
Opcode ID: 8ffd0cab172734a36e43c1cf7f5894ebfd94f3a2633384a290ba864bc3d060c0
Instruction ID: 94de6d573fa0d8927b5bb826392d177512a30fcfd5af4058503230c0fb562cf8
Opcode Fuzzy Hash: 8ffd0cab172734a36e43c1cf7f5894ebfd94f3a2633384a290ba864bc3d060c0
Instruction Fuzzy Hash: EDF17A32701F8985F7A6CF64E8487DD33A4F78DBA8F449215EE9A56694EF38C249C700

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000000180001A3B
CLSIDFromString.OLE32 ref: 0000000180001CFA
IIDFromString.OLE32 ref: 0000000180001D0D
CoCreateInstance.OLE32 ref: 0000000180001D2C

Strings

A::, xrefs: 0000000180001A4F
Y:\:, xrefs: 0000000180001AD8
^:G:, xrefs: 0000000180001B44
Y::, xrefs: 0000000180001C46
X:[:, xrefs: 0000000180001BAA
:_:, xrefs: 0000000180001AF0
:, xrefs: 0000000180001CA0
\:[:, xrefs: 0000000180001B9B
X:^:, xrefs: 0000000180001AE8
:Y:, xrefs: 0000000180001C3F
\:^:, xrefs: 0000000180001C4D

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: b21433bbcfd500ff2e1a040f01b86cf70ebae5ae9220c9be1f718c8c064dbea4
Instruction ID: d33754435be79ee62176bbf206138c07fbdd3e121f941c643f14d68da248290d
Opcode Fuzzy Hash: b21433bbcfd500ff2e1a040f01b86cf70ebae5ae9220c9be1f718c8c064dbea4
Instruction Fuzzy Hash: 2291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.OLE32 ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

SYSTEM, xrefs: 0000000180001DD9
{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: f90c8e403a0b1249590ad1665be699f9ac10e390f971a03fc807c8f653187a63
Instruction ID: e54bcdf9e92cae3ed311456612b02479e66d2eb3af00e5f4fdd7df8a388e748b
Opcode Fuzzy Hash: f90c8e403a0b1249590ad1665be699f9ac10e390f971a03fc807c8f653187a63
Instruction Fuzzy Hash: 6EB1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

Function 0000000180028464 Relevance: 14.7, APIs: 9, Instructions: 1208COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00000001800284AD
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028AB8
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028C7B
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028E82
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029146
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029341
memcpy_s.LIBCPMT ref: 000000018002942F
memcpy_s.LIBCPMT ref: 00000001800294DA
memcpy_s.LIBCPMT ref: 00000001800295A3

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID:
API String ID: 808467561-0
Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00

Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON

Download Yara Rule

Strings

ntdll.dll, xrefs: 000000018000780A
NtAlpcSetInformation, xrefs: 0000000180007B33
TpAllocAlpcCompletion, xrefs: 0000000180007A0A
?Vse4", xrefs: 000000018000759B
NtAlpcConnectPort, xrefs: 0000000180007C5F
NtAlpcCreatePort, xrefs: 00000001800078E1
\RPC Control\, xrefs: 0000000180007729

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
API String ID: 0-3440571002
Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700

Function 00007FF7D9A449E0 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7D9A44AD6
bind.WS2_32 ref: 00007FF7D9A44B25
WSAGetLastError.WS2_32 ref: 00007FF7D9A44C15
WSAGetLastError.WS2_32 ref: 00007FF7D9A44C64
WSAGetLastError.WS2_32 ref: 00007FF7D9A44BA2

Part of subcall function 00007FF7D9A44700: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7D9A25191), ref: 00007FF7D9A44727

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast$bindsocket
String ID:
API String ID: 2672188334-0
Opcode ID: 4f19865bda3b12aa65bde297c8eeb848f29aeb92f68061c147d016fa6e1a1ed0
Instruction ID: d1c192f270ddafd049a0c506ad8544a80724da79f8cbeaac0c9952f84c04e1d5
Opcode Fuzzy Hash: 4f19865bda3b12aa65bde297c8eeb848f29aeb92f68061c147d016fa6e1a1ed0
Instruction Fuzzy Hash: BB812D76A096428AEA54EF25E85066EF7B0FBC4784FD04037E64D83B69DE3CE444CB60

Function 0000000180016D88 Relevance: 7.0, Strings: 5, Instructions: 783COMMON

Download Yara Rule

Strings

__swift_1, xrefs: 0000000180017D10
__unaligned, xrefs: 0000000180017A1E
__swift_2, xrefs: 0000000180017D34
call, xrefs: 0000000180016FE8
__restrict, xrefs: 0000000180017B37

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrow
String ID: __restrict$__swift_1$__swift_2$__unaligned$call
API String ID: 432778473-3141380587
Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700

Function 00007FF7D9A97926 Relevance: 5.5, Strings: 1, Instructions: 4274COMMON

Download Yara Rule

Strings

?j., xrefs: 00007FF7D9A9894C

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: ?j.
API String ID: 0-2477978973
Opcode ID: 024b7acfd1758d27c6e8c075e34bbad76411bd8d2b3a40a63b342cf025c009fe
Instruction ID: 79ac59ed15d738664ee88dfb99e211046bece22b34276dd32b119839ab6c935b
Opcode Fuzzy Hash: 024b7acfd1758d27c6e8c075e34bbad76411bd8d2b3a40a63b342cf025c009fe
Instruction Fuzzy Hash: 69933172A0C5D24BD329EF34A8A16BEB7F5AB85341FC4523BD58DC7A56CA2CA104CF50

Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180023BFC

Strings

gfffffff, xrefs: 0000000180023E99

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701

Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

WinSta0\Default, xrefs: 000000018000409C
taskmgr.exe, xrefs: 0000000180003F94
C:\windows\system32\, xrefs: 0000000180003F43
C:\windows\, xrefs: 00000001800040A8

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
API String ID: 0-638001070
Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704

Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

WinSta0\Default, xrefs: 0000000180003C39
C:\windows\system32\, xrefs: 0000000180003B90
winver.exe, xrefs: 0000000180003BE1
C:\windows\, xrefs: 0000000180003C45

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
API String ID: 0-1160837885
Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704

Function 00007FF7D9AADC36 Relevance: 4.9, APIs: 1, Instructions: 3644COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7D9AB1511

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c3dd4c0e9385bfd57a55dd02cfd5c7f506640c84b3a23a86f047f0916954dca1
Instruction ID: f616db96705a6a914a5c401bae0991eb0545b19cc0f5676b297dfba146b9d6bd
Opcode Fuzzy Hash: c3dd4c0e9385bfd57a55dd02cfd5c7f506640c84b3a23a86f047f0916954dca1
Instruction Fuzzy Hash: 9A736272A085D24FD32CEF7498A16FE77F19B85349F84523BD54DCBA5ACA2CA204CB50

Function 0000000180028038 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000018002809E
memcpy_s.LIBCPMT ref: 00000001800280C9

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00

Function 00007FF7D9A2D9D0 Relevance: 3.1, APIs: 2, Instructions: 55networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007FF7D9A2DA59
WSAGetLastError.WS2_32 ref: 00007FF7D9A2DA6F

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ErrorLastRecv
String ID:
API String ID: 904507345-0
Opcode ID: deb7d056b98802d721299dea02c37c7f98589deea631aa3ca4c427b9f49b8a50
Instruction ID: 922441bd251287c7bb55d4cff29d2439b51a1a99da2d0e857d8dd554d43ff499
Opcode Fuzzy Hash: deb7d056b98802d721299dea02c37c7f98589deea631aa3ca4c427b9f49b8a50
Instruction Fuzzy Hash: C2212B36A1C6418BE754EF28E48066EB7B0FB88784F901136EA8D87725DB3CE440CF10

Function 000000018001FED8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

ko-KR, xrefs: 000000018001FEEC
0, xrefs: 00000001800200A7

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$ko-KR
API String ID: 3215553584-2196303776
Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705

Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180003282
p, xrefs: 00000001800032F3

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: 0$p
API String ID: 0-2059906072
Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700

Function 0000000180024EB0 Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024EF9

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304

Function 000000018002C080 Relevance: 1.7, APIs: 1, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018002C2CF

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701

Function 0000000180010F18 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

l section in CAtlBaseModule, xrefs: 0000000180010FB7

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrow
String ID: l section in CAtlBaseModule
API String ID: 432778473-2709337986
Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700

Function 00000001800180EE Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

__restrict, xrefs: 00000001800183C3

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: __restrict
API String ID: 0-803856930
Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340

Function 00007FF7D9A18CF2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF7D9A18D54

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7b0ed490353ac5753f53b679cf1d633e8f55c468c51ae4daf13fe6cf5aa634ea
Instruction ID: a26a10c7614f7251b2fbc4aa8f8a6794f9a5fb2843fbe755b55e474904f5037d
Opcode Fuzzy Hash: 7b0ed490353ac5753f53b679cf1d633e8f55c468c51ae4daf13fe6cf5aa634ea
Instruction Fuzzy Hash: 1F11EC36A186018BD764DF19E89156EB3B1FBC8748FD05026FA9E87729DA3CE411CF20

Function 000000018001FC0C Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 000000018001FDDB

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745

Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

201ef99a-7fa0-444c-9399-19ba84f12a1a, xrefs: 0000000180002DAE

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
API String ID: 0-3963691810
Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300

Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

ncalrpc, xrefs: 00000001800025DE

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: ncalrpc
API String ID: 0-2983622238
Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700

Function 00007FF7D9AB494C Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d2a2c5cf828a8c708c3c6e26cc7a7284321eea6bb625a0dda2739eaddb4e08
Instruction ID: 720886922789b3c7942ea0eaedd65c6537183e5502f0ee9290e47f28f7114561
Opcode Fuzzy Hash: 84d2a2c5cf828a8c708c3c6e26cc7a7284321eea6bb625a0dda2739eaddb4e08
Instruction Fuzzy Hash: 8B921032A0C5D28BD318EF74A4A16BEBBF1AB85345F84513BD58DC7A5ACA2CE405CF50

Function 00007FF7D9BDF9A0 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eea02c496926168e0f2016d62dcd4b3212950ef3c49fc117d334fa2024440a6
Instruction ID: 29610d46189a502eb153f5ce9aab794f8fa5fc4f18526c2524b1c694137a0f77
Opcode Fuzzy Hash: 2eea02c496926168e0f2016d62dcd4b3212950ef3c49fc117d334fa2024440a6
Instruction Fuzzy Hash: D082C762D1C9D145E316DF34A8E023EFEB6AF85785FC8833BE18E56515EE2DA142CB10

Function 0000000180014848 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354

Function 000000018000DEE8 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700

Function 0000000180029E8C Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700

Function 00000001800151E8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00

Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30536b62a6d0da437fd114397cfbd3f50a9eae59392f0b1b67c723097f145a58
Instruction ID: 24312ee17ac27d640e5902fdf911b4c821bd108a67df2382ab98bc71ef406521
Opcode Fuzzy Hash: 30536b62a6d0da437fd114397cfbd3f50a9eae59392f0b1b67c723097f145a58
Instruction Fuzzy Hash: C8410672B10A5886EB14CB64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700

Function 000000018000469C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304

Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700

Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300

Function 0000000180021F44 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300

Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219bf7831b4ff29649a0959f5cba49ff1e968e7e299094c0451f4ae6976958c1
Instruction ID: 6cb90250f36c561b05bdbfb3a32d9520807f84a022e52005c3b8c35e7831f1c3
Opcode Fuzzy Hash: 219bf7831b4ff29649a0959f5cba49ff1e968e7e299094c0451f4ae6976958c1
Instruction Fuzzy Hash: B54103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A18DF38C246C300

Function 000000018001AA6C Relevance: .1, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00

Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740

Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340

Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740

Function 000000018000BEB0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700

Function 000000018000B620 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700

Function 000000018000C370 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341

Function 000000018000435B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740

Function 000000018000947B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304

Function 0000000180004153 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304

Function 000000018000B280 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304

Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700

Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300

Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700

Function 0000000180003833 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300

Function 0000000180002666 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300

Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ba3d73c2f5686b073e58bf77ac5fca37af1a7b10adc11c162e07aac671ca2c
Instruction ID: fb4b37c46674135c9bcda74d3568f44faa2863dc5090cce6e90fb90ae548c0e0
Opcode Fuzzy Hash: f0ba3d73c2f5686b073e58bf77ac5fca37af1a7b10adc11c162e07aac671ca2c
Instruction Fuzzy Hash: 01118EA271498C46FB96DBB4F969BD76322EB4C3A9F80B012DD0D07A55DD3CC24AC700

Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300

Function 0000000180003717 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700

Function 000000018000290C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700

Function 0000000180002170 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300

Function 000000018000360B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700

Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744

Function 0000000180002777 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304

Function 000000018000225E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300

Function 000000018000284D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340

Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340

Function 0000000180003530 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700

Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300

Function 0000000180003464 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700

Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304

Function 0000000180003880 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300

Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300

Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304

Function 000000018002BBA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04

Function 00007FF7D9BF0B10 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7D9BF0B40
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7D9BF0B62
GetModuleHandleW.KERNEL32 ref: 00007FF7D9BF0B6F
GetModuleHandleW.KERNEL32 ref: 00007FF7D9BF0B84
GetProcAddress.KERNEL32 ref: 00007FF7D9BF0B9C
GetProcAddress.KERNEL32 ref: 00007FF7D9BF0BAF
CreateEventW.KERNEL32 ref: 00007FF7D9BF0BDB
DeleteCriticalSection.KERNEL32 ref: 00007FF7D9BF0C27
CloseHandle.KERNEL32 ref: 00007FF7D9BF0C39

Strings

kernel32.dll, xrefs: 00007FF7D9BF0B7D
SleepConditionVariableCS, xrefs: 00007FF7D9BF0B92
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF7D9BF0B68
WakeAllConditionVariable, xrefs: 00007FF7D9BF0BA2

Memory Dump Source

Source File: 00000000.00000002.2146728696.00007FF7D9A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9A10000, based on PE: true

Associated: 00000000.00000002.2146715400.00007FF7D9A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146835220.00007FF7D9C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146853847.00007FF7D9C29000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146871649.00007FF7D9C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146899907.00007FF7D9C43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d9a10000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseConcurrency::cancel_current_taskCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3155888939-3242537097
Opcode ID: 456cf0828f244fa9f043f2ede57b6f3d5d42998ea54c165d75fd4badeee2050d
Instruction ID: 0809b8455941fd61b3d77d31d0f26c3084ff7bcc1e90b407e8141edc94b3b7ae
Opcode Fuzzy Hash: 456cf0828f244fa9f043f2ede57b6f3d5d42998ea54c165d75fd4badeee2050d
Instruction Fuzzy Hash: FD313020F0B60B81FA54BF70A8551BCE2B0AF54794FD94537C99E026E2FE2DB4968330

Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000018001A7F7

Part of subcall function 0000000180019CF8: __vcrt_initialize.LIBVCRUNTIME ref: 0000000180019D1A

__scrt_release_startup_lock.LIBCMT ref: 000000018001A87A
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A890
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A8BC
__scrt_get_show_window_mode.LIBCMT ref: 000000018001A8CD
__scrt_is_managed_app.LIBCMT ref: 000000018001A8F0
__scrt_uninitialize_crt.LIBCMT ref: 000000018001A907
__scrt_fastfail.LIBCMT ref: 000000018001A939
__scrt_fastfail.LIBCMT ref: 000000018001A944
__security_init_cookie.LIBCMT ref: 000000018001A960

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
String ID:
API String ID: 1326835672-0
Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350

Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 000000018001A062
__scrt_fastfail.LIBCMT ref: 000000018001A0B1
__scrt_fastfail.LIBCMT ref: 000000018001A0BC
__scrt_fastfail.LIBCMT ref: 000000018001A0C7

Strings

`eh vector vbase constructor iterator', xrefs: 0000000180019F9C
`local vftable', xrefs: 0000000180019FE0
onstructor closure', xrefs: 0000000180019FF4
`udt returning', xrefs: 0000000180019FCC

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
API String ID: 2273495996-2419032777
Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304

Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018002B9D0
_set_statfp.LIBCMT ref: 000000018002B9EB
_set_statfp.LIBCMT ref: 000000018002BA07
_set_statfp.LIBCMT ref: 000000018002BA43

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302

Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018001F698
_invalid_parameter_noinfo.LIBCMT ref: 000000018001F8D2

Strings

ko-KR, xrefs: 000000018001F6B7
*, xrefs: 000000018001F7A5

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *$ko-KR
API String ID: 3215553584-1095117856
Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750

Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

__swift_1, xrefs: 0000000180017D10
__swift_2, xrefs: 0000000180017D34

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID:
String ID: __swift_1$__swift_2
API String ID: 0-2914474356
Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340

Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024027

Strings

gfff, xrefs: 0000000180024149
o-l1-2-1, xrefs: 00000001800240CC

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfff$o-l1-2-1
API String ID: 3215553584-1082851355
Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700

Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018002459E

Strings

synch-l1-2-0, xrefs: 00000001800244A4
api-ms-win-core-sysinfo-l1-2-1, xrefs: 00000001800244D1

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
API String ID: 3215553584-688204690
Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340

Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001C478: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000018001C47C

__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D66E
__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D6F8

Strings

csm, xrefs: 000000018001D6CB

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01

Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000018001A99B

Strings

`vector destructor iterator', xrefs: 000000018001A980
nt delete closure', xrefs: 000000018001A9A0

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: __std_exception_copy
String ID: `vector destructor iterator'$nt delete closure'
API String ID: 592178966-1611991873
Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301

Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000018001AA55
_CxxThrowException.LIBVCRUNTIME ref: 000000018001AA66

Strings

File, xrefs: 000000018001AA5A

Memory Dump Source

Source File: 00000000.00000002.2145725831.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2145703994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145828066.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145850002.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2145868582.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_2024-12-10#U67e5#U9605_uninst.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: File
API String ID: 932687459-749574446
Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2024-12-10#U67e5#U9605_uninst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

C:\Program Files\Windows Mail\arphaDump64.bin

C:\Program Files\Windows Mail\arphaDump64.dll

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
2024-12-10#U67e5#U9605_uninst.exe

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Function 000001BCEE8608D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Function 00007FF7D9C02140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
COMMON

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Function 00007FF7D9A2CED0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Function 000001BCEE860224 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 227
memoryCOMMON

Function 00007FF7D9BF6BFC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Function 00007FF7D9A2AA80 Relevance: 6.1, APIs: 4, Instructions: 107
networkCOMMON

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Function 00007FF7D9A2DAD0 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 000001BCEE86070D Relevance: 3.1, APIs: 2, Instructions: 108
memoryCOMMON

Function 000001BCEE860000 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 80
memoryCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre